From owner-freebsd-security Mon Jul 24 01:55:56 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id BAA11748 for security-outgoing; Mon, 24 Jul 1995 01:55:56 -0700 Received: from time.cdrom.com (time.cdrom.com [192.216.222.226]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id BAA11742 for ; Mon, 24 Jul 1995 01:55:44 -0700 Received: from localhost (localhost [127.0.0.1]) by time.cdrom.com (8.6.11/8.6.9) with SMTP id BAA00452 for ; Mon, 24 Jul 1995 01:16:09 -0700 Prev-Resent: Mon, 24 Jul 1995 01:16:08 -0700 Prev-Resent: "security@freebsd.org " Received: from throck.cdrom.com (throck.cdrom.com [192.216.222.225]) by time.cdrom.com (8.6.11/8.6.9) with ESMTP id NAA00436 for ; Sun, 23 Jul 1995 13:40:00 -0700 Received: from brewhq.swb.de (brewhq.swb.de [193.175.30.3]) by throck.cdrom.com (8.6.11/8.6.9) with SMTP id GAA18677 for ; Sun, 23 Jul 1995 06:21:06 -0700 Received: by brewhq.swb.de (Linux Smail3.1.29.0 #5) id m0sa0vo-0005BoC; Sun, 23 Jul 95 15:18 MET DST Received: by monad.swb.de (smail3.1.29.0 #5) id m0sa1JM-00005JC; Sun, 23 Jul 95 15:43 MET DST Message-Id: From: okir@monad.swb.de (Olaf Kirch) Subject: Tentative fix for BSD lpr (fwd) To: jkh@time.cdrom.com Date: Sun, 23 Jul 1995 15:43:15 +0200 (MET DST) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Length: 6261 Resent-To: security@freebsd.org Resent-Date: Mon, 24 Jul 1995 01:16:09 -0700 Resent-Message-ID: <450.806573769@time.cdrom.com> Resent-From: "Jordan K. Hubbard" Sender: security-owner@freebsd.org Precedence: bulk Hello, Prompted by the lpr -r -s problems recently reported on bugtraq and linux-security, I looked into the lpr source and came up with a couple of patches. I was told that you are maintaining the original BSD source base of lpd/lpr, so I thought you might be interested in taking a look at those. If this is no news for you, and you've already fixed the problem yourself, please feel free to ignore my mail. The patch is against a slightly modified source from the Linux NetKit distribution of BSD networking stuff. It does the following things: * Attempt to fix the lpr -r and lpr -r -s race conditions. Code related to job file removal can be found in the following places: lpr: after the job has been spooled (lpr -r) lpd: after the job has been successfully printed (lpr -r -s) lprm: when removing a pending job (lpr -r -s) Unlinking now always happens under the euid/egid of the user who submitted the job. This is easy for lpr, but slightly more difficult for lpd/lprm. Trusting that the job description files are ok, I extract the user and host name and match them against hosts.equiv and .rhosts to make sure the accounts are equivalent. There's a tiny difference between lpd and lprm: lpd still has the FQDN of the original submitter's host, while lprm has to use the host information from the job description file (currently not checked against the sender's hostname). * Made the /dev/printer Unix socket mode 600. It used to be 777 thus allowing anyone to submit faked jobs with false credentials. * Avoid the FTP bounce attack. * Fixed a possible stack overwrite problem in rmjob.c. There may be more of those lurking. [there was another overwrite problem in chkhost, where the hostname buffer was too small (50 bytes). Fortunately, the function never returns when it fails to validate the hostname, so there's no way to inject worm-like code through bogus DNS PTR records]. The patch follows below. Best wishes, Olaf ------------------------------------------------------------------ table `!"#$%&'()*+,-./0123456789:;<=>? @ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_ begin 644 lpr.diff.gz M'XL(",J#$3```VQP#(<3D8#L/?V1JU>K_?XSL8Y+OFIC&#HP&`PL>V)P\NV6Z]>0=_>&5MCw MZ-''#KQZU0+#F[D9;`1A)/9;\!4);X^.#V'#"]+]5D_.1LDT=N?BRAE^@@-Hv MMY$1^<(`S"?>[-:DM=TN4HQ,%&46[\N3=AW+MO&HW9%E[\JSC,`MW,AL>VXX;At MN;F`SH?.A`9&7F2QE]Z92F`+B+EG6Y"'_Q9)H.G=OMW=YP5:LP?SI&CGXZ`Cs MV6XRX=Z2>.J\R\X$8&L#RA@/N`4WSQ,O=`OT%RF2P\86\;*%@BR9PY,#F"5Yr MP38RC#0+XR(PV\_R":#N/+/?ZM(V!q M^^@)'\E:::4AR>`G2SNBN5$H2[L57==KBK7NK)5-192+Y47?E*$VWSW^HA_Sp MB`SP8-C(+(C)=I)MH[0P^;2_'/,4VEL;4AI[S[('*,YPQ[(=*0_9DP3&^`@Hn M?CGZ+6AG;0S4@P,XO3P^;MP%<_"ML.Y+_ZB0IN48REUV*X8R17+:,&5?&AY6m ME[Q;7C);MOZ:`^35J6Y+^N">I/4-2:\:M*5;<0^/2;.R_^S!_K-Z_]E5@[:\l M_S=B!=@_#H8)@IDS'%K.6"%,Q;[(PD*8-V5@`1X>K\'&W"I+C??Z4TB;;5Z&'2M7G6?I._I`EM0YB+K5J$F`U:/B*,>j M$2>.R$AHHM(K($4$6?C&1KH@KC+TKPOT-7ZB/3!FZ)O)]IJJJ6DU-=53*!D'i MW3ZI(*$'92"O(/ITMCI\RV500D/\;LW/!_[^.SPA`7$ADFG81#!X_APRFDYNh M3:GV0&JN](<7,%#+S'0A14P7B#(F3UK3CRH,JM%R,5"1C9,DAA/We MCC(YIO'!]F0P7"X`:M:5I#^:.*-&TM_>XZ2/'PI5C?PN1_@WC]__]?KP[`SQd MJ[P)8W\"S^9M>4/$E[`P;7TO,'+GB6]>?WA]\>[Z_/V;GP\O3E^?'*+[QP-$c M.`1,6`CPW"C"'%C.W?P6@0_(\=#:14@>.Y8L*BCN,TH]>9'O&R3)4T@"a MR-,DB4!/L`1T^_".B2Q/8LE)Z8^8)0W\)(RG9-@Y\[?ZO(+B_X9J'U83`27`z M``B2#-$C%''1R6'N>C,$.+D=KI3K/&2]^LOEV_.C?\BE5*ZYL<]@J/FO.^<9!R@#>W*<-\BM"6\JH[;B,HK9%WSB=8QF)(S+VB!*@`[W1x M<%`EP"K_*NPB&!"4BF>4/.MIF5)I-EBB2PRD++R1IU7J=HGQ:GO`V9@R>Q!Fw M.5UKFPCB"ZZ,U5)4JKB.B\0UNYKY!JNR"&O)`\8$RN!!_V4>QM=IDM$FR#W+v MS0:-LRECI*0%[CR,[@CE7K^]/CH]O&#@:^SQ\@"./GQX?W9Q?79X?GCVR^&/u M78VR?WH'Y"`K;%O#;J-T/G$CC(DYE9J$RZ[O(U+E\M+.4HFX9,N;t M.YK"4H5MUGVNCB`B>9I.58E7^5%-=BU8TDA=NY&S:PV'&`G.7E7-\P.`BHYYs M:LJ*DDO9I9<`7B(CYV*)XIO=32-79L2^+HPP%&350/%N-A90D%#2P54O9#%]r M`STM.0^[T`?$*;SPO9YZ*I!@M([*D%=P3q MZ1NT-Y-4S?-U:3K,RQ011"KQ`Q1)E"SDD"2:Z.7+)5-SD2Z86.;F^FZC:.[3p M>55]A,ZFFU55H1*9W[T_OS@__-OET2^R(D4^=^J&\41YB]7!C&L"8A"%X&@8'A^=_FP8VP1>#--%6&#UMCM0D/[;;VG6Z0!3l M&IP`>56*k MZ8_>L$4"-W>0W\VY_J7#PCBAE?BA5N(W_WL6-E(H`SQG4=J`X@8S&M>4.JTMj MY4)FK]/A(_S25HW^Q!(WTL.XRI:2%]W+O/9`FQ8I@*C#FBSS>A'6Y?6N/`R#i MT'.+$,,I"$7D:U,[]I!L[=B.+K'6/?D>Z6-4?85WG4GS):?ML/*AZ(LC$LADX(SWF.E=P:6;O!(g M/9S.I!Z,Y*!^B-KR2<(B](V&NKAY?J7LTN_8G4\KBM>:/\II249#6X(9T^]P%V7'T3??"'(Ad M;BD&L6(_QI]'FQ(Z?39?])?*3_\GW?Z46K1"NF0/M4+TW7-V="&BWUOT:#]Wc M`X%EF'F$4)&*;M6A6WK$-\3\GU_P2_VU![OQTS(7L3]WPTA-2ZPGP^EN`Z#@b MF@DPBS$!H!!1A$^3)$4SX%.J+!BJL+A'`B$0L2F;[`WY@3<8C*EAI0)UI6LIa MTXZ\B[IM]S%>N#E0NX\IB.$WPG-+JE$*T%.DFD1W=`]0=@UC5[KG8]Q>[O'Iz MEJQ44G9E'QXFS27PO8DET#Q$5*77EXA#[AZN[1H:01"5^7'O3)SMND)P1F-&QE'59I=*>`FB5XA55C9=HT(Hx MFWS\JJ"B5T45,5=]BI5)#N*:H>E;:B_3#QD\$W-\BLO6K.R,:PGN52]M/.`0w MH@\E,L1QMQ57EPKS6S[W!BX(%R%U2-A2Mu M_K1PSZ_0JBG;>ZJZV+IW0SHP6>K<`I%E26;3A=&G`KVJ\<@R9@H=*.-UG86Jt MTV2ODR\[MP]7X*?+,BR]CA7V?*V:@8_W`A]K!:+P=6=/M[R0BYD>M-(&JQTSs MY"R_S6GB"2MM-\DLWPBKCO+JQAJ%(KMEHOZX('-V[2[JU69L?3HD3KJLU?U_r IU]1[*(;W![V])U742`3B!%6F9G6Z,@%K_O)`9E&=?/X#9K!1DQ(<``"Lq `p end -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax For my PGP public key, finger okir@brewhq.swb.de. From owner-freebsd-security Mon Jul 24 09:47:15 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id JAA26597 for security-outgoing; Mon, 24 Jul 1995 09:47:15 -0700 Received: from grunt.grondar.za (grunt.grondar.za [196.7.18.129]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id JAA26590 ; Mon, 24 Jul 1995 09:47:03 -0700 Received: from grumble.grondar.za (grumble.grondar.za [196.7.18.130]) by grunt.grondar.za (8.6.11/8.6.9) with ESMTP id SAA10781; Mon, 24 Jul 1995 18:41:26 +0200 Received: from localhost (localhost [127.0.0.1]) by grumble.grondar.za (8.6.11/8.6.9) with SMTP id SAA23989; Mon, 24 Jul 1995 18:41:25 +0200 Message-Id: <199507241641.SAA23989@grumble.grondar.za> X-Authentication-Warning: grumble.grondar.za: Host localhost didn't use HELO protocol To: pst@stupi.se (Paul Traina) Cc: rgrimes@freebsd.org, security@freebsd.org, freebsd-foreign-secure@grondar.za Subject: Re: secure/ changes... Date: Mon, 24 Jul 1995 18:41:24 +0200 From: Mark Murray Sender: security-owner@freebsd.org Precedence: bulk > From: pst@stupi.se (Paul Traina) > To: Mark Murray > Subject: Re: secure/ changes... > Date: Thu, 20 Jul 1995 04:30:23 -0700 > Sender: pst@cisco.com > > I'd appreciate it if you could add me to the list for foreign comitters. Sure. Send a message to my Majordomo (majordomo@grondar.za) with the one line: subscribe freebsd-foreign-secure [your email address] > Question: How will we keep the external-to-US and internal-to-US repositories > in sync? All we need to do is regularly import and diff the repositories, > or better yet, just make the US secure a slave to the ZA secure CVS > repository. I like these ideas. Lets just do the regular diffs to start off, and see how it goes later. I have a ton of work to do to get these under way, and I need to clear a lot of email right now.. > From: Mark Murray > Subject: Re: secure/ changes... > Hi > > I am gearing up to look after the out-of-US code right now. For the next > four days, I will be out of contact as my Mom has had an accident, and I > need to fly from Cape Town to Pretoria to sort out some issues. > > Please mail the diffs to me. > > For what its worth, I now have a complete copy of the foreign secure code > in a CVS repository, and when I return, I will set up mailing lists and > commit rights for those who need them. -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 From owner-freebsd-security Mon Jul 24 10:24:07 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id KAA28471 for security-outgoing; Mon, 24 Jul 1995 10:24:07 -0700 Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id KAA28460 ; Mon, 24 Jul 1995 10:24:04 -0700 Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.11/8.6.9) id KAA19257; Mon, 24 Jul 1995 10:23:27 -0700 From: "Rodney W. Grimes" Message-Id: <199507241723.KAA19257@gndrsh.aac.dev.com> Subject: Re: secure/ changes... To: mark@grondar.za (Mark Murray) Date: Mon, 24 Jul 1995 10:23:26 -0700 (PDT) Cc: pst@stupi.se, rgrimes@freebsd.org, security@freebsd.org, freebsd-foreign-secure@grondar.za In-Reply-To: <199507241641.SAA23989@grumble.grondar.za> from "Mark Murray" at Jul 24, 95 06:41:24 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1951 Sender: security-owner@freebsd.org Precedence: bulk > > > From: pst@stupi.se (Paul Traina) > > To: Mark Murray > > Subject: Re: secure/ changes... > > Date: Thu, 20 Jul 1995 04:30:23 -0700 > > Sender: pst@cisco.com > > > > I'd appreciate it if you could add me to the list for foreign comitters. > > Sure. Send a message to my Majordomo (majordomo@grondar.za) with the one > line: > > subscribe freebsd-foreign-secure [your email address] > > > Question: How will we keep the external-to-US and internal-to-US repositories > > in sync? All we need to do is regularly import and diff the repositories, > > or better yet, just make the US secure a slave to the ZA secure CVS > > repository. > > I like these ideas. Lets just do the regular diffs to start off, and see how > it goes later. I have a ton of work to do to get these under way, and I need > to clear a lot of email right now.. As already pointed out no less than 2 times, DES is a munition, importing munitions is just as regulated as exporting them. Makeing freefall's cvs/ secure bits a slave to the ZA site is just as much a problem as exporting the bits from freefall :-(. > > From: Mark Murray > > Subject: Re: secure/ changes... > > Hi > > > > I am gearing up to look after the out-of-US code right now. For the next > > four days, I will be out of contact as my Mom has had an accident, and I > > need to fly from Cape Town to Pretoria to sort out some issues. > > > > Please mail the diffs to me. > > > > For what its worth, I now have a complete copy of the foreign secure code > > in a CVS repository, and when I return, I will set up mailing lists and > > commit rights for those who need them. > -- > Mark Murray > 46 Harvey Rd, Claremont, Cape Town 7700, South Africa > +27 21 61-3768 GMT+0200 > -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD From owner-freebsd-security Mon Jul 24 10:51:14 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id KAA00284 for security-outgoing; Mon, 24 Jul 1995 10:51:14 -0700 Received: from who.cdrom.com (who.cdrom.com [192.216.222.3]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id KAA00273 ; Mon, 24 Jul 1995 10:51:11 -0700 Received: from grunt.grondar.za (grunt.grondar.za [196.7.18.129]) by who.cdrom.com (8.6.11/8.6.11) with ESMTP id KAA23175 ; Mon, 24 Jul 1995 10:50:02 -0700 Received: from grumble.grondar.za (grumble.grondar.za [196.7.18.130]) by grunt.grondar.za (8.6.11/8.6.9) with ESMTP id TAA10879; Mon, 24 Jul 1995 19:48:46 +0200 Received: from localhost (localhost [127.0.0.1]) by grumble.grondar.za (8.6.11/8.6.9) with SMTP id TAA25615; Mon, 24 Jul 1995 19:48:45 +0200 Message-Id: <199507241748.TAA25615@grumble.grondar.za> X-Authentication-Warning: grumble.grondar.za: Host localhost didn't use HELO protocol To: "Rodney W. Grimes" cc: mark@grondar.za (Mark Murray), pst@stupi.se, rgrimes@freebsd.org, security@freebsd.org, freebsd-foreign-secure@grondar.za Subject: Re: secure/ changes... Date: Mon, 24 Jul 1995 19:48:45 +0200 From: Mark Murray Sender: security-owner@freebsd.org Precedence: bulk > > > Question: How will we keep the external-to-US and internal-to-US > > > repositories in sync? All we need to do is regularly import and > > > diff the repositories, or better yet, just make the US secure a > > > slave to the ZA secure CVS repository. > > > > I like these ideas. Lets just do the regular diffs to start off, > > and see how it goes later. I have a ton of work to do to get these > > under way, and I need to clear a lot of email right now.. > > As already pointed out no less than 2 times, DES is a munition, importing > munitions is just as regulated as exporting them. Makeing freefall's cvs/ > secure bits a slave to the ZA site is just as much a problem as exporting > the bits from freefall :-(. I buy that. How do we explain though, that our eBones (which is in the same class) and our DES are clearly documented as having come from Australia? Is the FreeBSD code already in the muck? (I need to know, 'cos I'm going to upgrade or modify both of these soon) M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 From owner-freebsd-security Mon Jul 24 11:56:31 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id LAA05241 for security-outgoing; Mon, 24 Jul 1995 11:56:31 -0700 Received: from rocky.sri.MT.net (sri.MT.net [204.94.231.129]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id LAA05235 for ; Mon, 24 Jul 1995 11:56:29 -0700 Received: (from nate@localhost) by rocky.sri.MT.net (8.6.12/8.6.12) id MAA25903; Mon, 24 Jul 1995 12:57:35 -0600 Date: Mon, 24 Jul 1995 12:57:35 -0600 Message-Id: <199507241857.MAA25903@rocky.sri.MT.net> To: "Rodney W. Grimes" Cc: mark@grondar.za (Mark Murray), pst@stupi.se, security@freebsd.org, freebsd-foreign-secure@grondar.za Subject: Re: secure/ changes... In-Reply-To: <199507241723.KAA19257@gndrsh.aac.dev.com> References: <199507241641.SAA23989@grumble.grondar.za> <199507241723.KAA19257@gndrsh.aac.dev.com> Reply-To: nate@sneezy.sri.com (Nate Williams) From: nate@sneezy.sri.com (Nate Williams) Sender: security-owner@freebsd.org Precedence: bulk > > As already pointed out no less than 2 times, DES is a munition, importing > munitions is just as regulated as exporting them. Makeing freefall's cvs/ > secure bits a slave to the ZA site is just as much a problem as exporting > the bits from freefall :-(. Actually, I almost positive that you can import the sources w/out any problems, it the export that will give you grief. Sean Fagan seemed to know the skinny on this. Nate From owner-freebsd-security Mon Jul 24 12:57:58 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id MAA08297 for security-outgoing; Mon, 24 Jul 1995 12:57:58 -0700 Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id MAA08287 ; Mon, 24 Jul 1995 12:57:55 -0700 Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.11/8.6.9) id MAA19765; Mon, 24 Jul 1995 12:56:37 -0700 From: "Rodney W. Grimes" Message-Id: <199507241956.MAA19765@gndrsh.aac.dev.com> Subject: Re: secure/ changes... To: mark@grondar.za (Mark Murray) Date: Mon, 24 Jul 1995 12:56:37 -0700 (PDT) Cc: mark@grondar.za, pst@stupi.se, rgrimes@freebsd.org, security@freebsd.org, freebsd-foreign-secure@grondar.za In-Reply-To: <199507241748.TAA25615@grumble.grondar.za> from "Mark Murray" at Jul 24, 95 07:48:45 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1684 Sender: security-owner@freebsd.org Precedence: bulk > > > > > Question: How will we keep the external-to-US and internal-to-US > > > > repositories in sync? All we need to do is regularly import and > > > > diff the repositories, or better yet, just make the US secure a > > > > slave to the ZA secure CVS repository. > > > > > > I like these ideas. Lets just do the regular diffs to start off, > > > and see how it goes later. I have a ton of work to do to get these > > > under way, and I need to clear a lot of email right now.. > > > > As already pointed out no less than 2 times, DES is a munition, importing > > munitions is just as regulated as exporting them. Makeing freefall's cvs/ > > secure bits a slave to the ZA site is just as much a problem as exporting > > the bits from freefall :-(. > > I buy that. How do we explain though, that our eBones (which is in the > same class) and our DES are clearly documented as having come from > Australia? Is the FreeBSD code already in the muck? (I need to know, 'cos > I'm going to upgrade or modify both of these soon) Sean says I am wrong, well, perhaps I am, but last time I checked encryption software was still on the munitions list, and anything on that list is subject to import as well as export regulations. If infact encryption software has been removed from the munitions lists we are probably fine to import it. Some one care to go deal with our lovely state department??? [I don't want to deal with another US government agency right now, the IRS is being a royal pain in the *ss for me right now :-(] -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD From owner-freebsd-security Tue Jul 25 03:53:21 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id DAA20801 for security-outgoing; Tue, 25 Jul 1995 03:53:21 -0700 Received: from tale.frihet.com (ns.frihet.com [165.227.57.1]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id DAA20792 ; Tue, 25 Jul 1995 03:53:16 -0700 Received: from localhost.frihet.com (tweten@localhost.frihet.com [127.0.0.1]) by tale.frihet.com (8.6.10/8.6.6) with SMTP id DAA03749; Tue, 25 Jul 1995 03:51:53 -0700 Message-Id: <199507251051.DAA03749@tale.frihet.com> X-Authentication-Warning: tale.frihet.com: Host localhost.frihet.com didn't use HELO protocol X-Mailer: exmh version 1.5.3 12/28/94 Reply-To: "David E. Tweten" To: "Rodney W. Grimes" cc: mark@grondar.za (Mark Murray), pst@stupi.se, rgrimes@FreeBSD.ORG, security@FreeBSD.ORG, freebsd-foreign-secure@grondar.za Subject: Re: secure/ changes... Mime-Version: 1.0 Content-Type: application/pgp ; format=text ; x-action=signclear Date: Tue, 25 Jul 1995 03:51:52 -0700 From: "David E. Tweten" Sender: security-owner@FreeBSD.ORG Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Rodney W. Grimes writes: > As already pointed out no less than 2 times, DES is a munition, importing > munitions is just as regulated as exporting them. Makeing freefall's cvs/ > secure bits a slave to the ZA site is just as much a problem as exporting > the bits from freefall :-(. That's an interesting assertion. This is the first time I've ever seen the assertion that importing "munitions" is at all restricted in the U.S. The long-standing general assumption on the alt.security.pgp news group is that importation of "munitions" (such as PGP) into the U.S. is not controled. Do you have any references to back up the assertion? - -- David E. Tweten | PGP Key fingerprint = | tweten@frihet.com 12141 Atrium Drive | E9 59 E7 5C 6B 88 B8 90 | tweten@and.com Saratoga, CA 95070-3162 | 65 30 2A A4 A0 BC 49 AE | (408) 446-4131 The only flags worth saluting are those you are permitted to burn. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMBTMu8fwvsV7F2dJAQF+Rgf/Q0n4X49eyaU+QF2BOuGSOOSQiwg0riPl SbOx5sdTxzFTSnCER+ApaJ6A13/7aaPfGGdXw6IQpF93ntrdtTDNnM3nzYKnPajX lS8zHNmLxzH8qJX50HOfOYNVdCuelK4SeLTN01lx7obYDZIwU07Kv6LViHYP7w4R jXMhvx82CTC2EH6SuWPaOqs88l/Q6ZRTP04wtKP5KM0gWvpewvjw/HXUS8acHSo9 vK6Wr6hTsH0sMngcbdC3TL7F4nQ6DUZjoswG/upioXQKF9kTNFp+YZyzbhwRPUSU fvYqexXNDIp18uc/Gk1ymeQwVbKojzhchyourqv5OLiaXB0HIblTKQ== =WB/x -----END PGP SIGNATURE----- From owner-freebsd-security Tue Jul 25 08:48:56 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id IAA00154 for security-outgoing; Tue, 25 Jul 1995 08:48:56 -0700 Received: from netmail1.austin.ibm.com (netmail1.austin.ibm.com [129.35.208.96]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id IAA00145 ; Tue, 25 Jul 1995 08:48:52 -0700 Received: from ozymandias.austin.ibm.com (ozymandias.austin.ibm.com [9.3.29.12]) by netmail1.austin.ibm.com (8.6.11/8.6.11) with SMTP id KAA58936; Tue, 25 Jul 1995 10:47:36 -0500 Received: from localhost.austin.ibm.com by ozymandias.austin.ibm.com (AIX 3.2/UCB 5.64/4.03-client-2.6) for freebsd-foreign-secure@grondar.za at austin.ibm.com; id AA14801; Tue, 25 Jul 1995 10:45:51 -0500 Message-Id: <9507251545.AA14801@ozymandias.austin.ibm.com> To: "Rodney W. Grimes" Cc: mark@grondar.za (Mark Murray), pst@stupi.se, rgrimes@freebsd.org, security@freebsd.org, freebsd-foreign-secure@grondar.za Subject: Re: secure/ changes... In-Reply-To: (Your message of Mon, 24 Jul 1995 10:23:26 CDT.) <199507241723.KAA19257@gndrsh.aac.dev.com> Date: Tue, 25 Jul 1995 10:45:51 -0500 From: Scott Brickner Sender: security-owner@freebsd.org Precedence: bulk In message <199507241723.KAA19257@gndrsh.aac.dev.com> "Rodney W. Grimes" writes: >As already pointed out no less than 2 times, DES is a munition, importing >munitions is just as regulated as exporting them. Makeing freefall's cvs/ >secure bits a slave to the ZA site is just as much a problem as exporting >the bits from freefall :-(. I'm not a lawyer, but I've tried to keep up on this. Controls on munitions are authorized by the Arms Export Control Act (22 USC Sec 2778), and the details are set in the International Traffic in Arms Regulation (ITAR). A quick glance through ITAR shows you're likely wrong. It's only the export or "temporary import" that are controlled, where "temporary import means bringing into the U.S. from a foreign country any defense article that is to be returned to the country from which it was shipped or taken, or any defense article that is in transit to another foreign destination." Section 120.18 specifically states that, "Permanent imports are regulated by the Department of the Treasury (see 27 CFR parts 47, 178 and 179)." In eight or nine months of following this ridiculous law, I've never heard of any problems *importing* crypto, only *exporting*. From owner-freebsd-security Tue Jul 25 12:22:41 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id MAA08710 for security-outgoing; Tue, 25 Jul 1995 12:22:41 -0700 Received: from kithrup.com (kithrup.com [140.174.23.40]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id MAA08704 for ; Tue, 25 Jul 1995 12:22:39 -0700 Received: (from sef@localhost) by kithrup.com (8.6.8/8.6.6) id MAA13762 for security@freebsd.org; Tue, 25 Jul 1995 12:22:37 -0700 Date: Tue, 25 Jul 1995 12:22:37 -0700 From: Sean Eric Fagan Message-Id: <199507251922.MAA13762@kithrup.com> To: security@freebsd.org Subject: cryptography, exporting, and cases Sender: security-owner@freebsd.org Precedence: bulk A coworker pointed me at: ftp://ftp.cygnus.com/pub/export/export.html. It discusses the legalities of exporting security software, and should probably be looked at by people on this list. Sean. From owner-freebsd-security Tue Jul 25 18:35:38 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id SAA22078 for security-outgoing; Tue, 25 Jul 1995 18:35:38 -0700 Received: from palmer.demon.co.uk (palmer.demon.co.uk [158.152.50.150]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id SAA22072 for ; Tue, 25 Jul 1995 18:35:34 -0700 Received: from localhost (localhost [127.0.0.1]) by palmer.demon.co.uk (8.6.11/8.6.11) with SMTP id CAA00267 for ; Wed, 26 Jul 1995 02:34:26 +0100 X-Authentication-Warning: palmer.demon.co.uk: Host localhost didn't use HELO protocol To: security@freebsd.org Subject: Firewall log conversion utility.... Date: Wed, 26 Jul 1995 02:34:26 +0100 Message-ID: <265.806722466@palmer.demon.co.uk> From: Gary Palmer Sender: security-owner@freebsd.org Precedence: bulk Hi I've written a short perl script which will take the output of the FreeBSD kernel firewall software (which is pretty unreadable as it's all in dotted IP address format - being kernel level doing DNS lookups is `interesting' :-) ) and turn it into something more readable. e.g. it would take a line like: Jul 26 02:24:35 firewall /kernel: Deny TCP 192.216.222.4:1405 192.216.223.172:23 (which appears in /var/log/messages if you use the logging version of the filter commands, or any other place you specify kernel messages to be sent to) and turn it into: Jul 24 18:11:51 firewall TCP freefall.cdrom.com:1405 mother.cdrom.com:telnet (it removes the kernel name deliberately - I didn't think it was important). It does a DNS lookup on both IP addresses, and also a getservbyport() on both ports, and prints out (or the way I've got it set, mails to root) the results. Anyone else want to see something like this? If so, I'll tidy up my version a bit and send it out... (it's kinda messy at the moment, being my first perl script to touch on doing non-string operations, like getservbyport() :-) ) Gary From owner-freebsd-security Tue Jul 25 19:01:04 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id TAA23154 for security-outgoing; Tue, 25 Jul 1995 19:01:04 -0700 Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id TAA23147 ; Tue, 25 Jul 1995 19:01:00 -0700 Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.11/8.6.9) id TAA23061; Tue, 25 Jul 1995 19:00:05 -0700 From: "Rodney W. Grimes" Message-Id: <199507260200.TAA23061@gndrsh.aac.dev.com> Subject: Re: secure/ changes... To: tweten@frihet.com Date: Tue, 25 Jul 1995 19:00:05 -0700 (PDT) Cc: mark@grondar.za, pst@stupi.se, rgrimes@FreeBSD.ORG, security@FreeBSD.ORG, freebsd-foreign-secure@grondar.za In-Reply-To: <199507251051.DAA03749@tale.frihet.com> from "David E. Tweten" at Jul 25, 95 03:51:52 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2035 Sender: security-owner@FreeBSD.ORG Precedence: bulk > > -----BEGIN PGP SIGNED MESSAGE----- > > Rodney W. Grimes writes: > > As already pointed out no less than 2 times, DES is a munition, importing > > munitions is just as regulated as exporting them. Makeing freefall's cvs/ > > secure bits a slave to the ZA site is just as much a problem as exporting > > the bits from freefall :-(. > > That's an interesting assertion. This is the first time I've ever seen the > assertion that importing "munitions" is at all restricted in the U.S. The > long-standing general assumption on the alt.security.pgp news group is that > importation of "munitions" (such as PGP) into the U.S. is not controled. PGP is a one way hash function, it is not encryption software, thus it does not fall on the munitions lists, thus it is not restricted. DES is encryption software, it is on the munitions lists, munitions export AND import is regulated by the US federal government, both the State Department, and the Bureau of Alcohol, Tobacco and Firearmgs (ATF) have regulations controlling imports to the US of any and all ``munitions''. > Do you have any references to back up the assertion? Various import and export paper work from UPS, Federal Express, and DLH all state that ``firearms'' and or ``munitions'' are regulated for import and export and require special paper work. Generally this reads: ``We accept shipments of firearms when either the shipper or recipient is a lincensed manufacturer, licensed importer, licensed dealer or licensed collector who is not prohibited from such shipments by federal, state or local regulations.'' I do not have a direct reference to the State Department munitions list, or the applicable ATF regulations, but I do assure you they exists, and they are inforced (reference, Austin Code Works was indited in 1994 by the US State Department for shipping DES software out of the US on CDROM). -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD From owner-freebsd-security Tue Jul 25 20:21:17 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id UAA01252 for security-outgoing; Tue, 25 Jul 1995 20:21:17 -0700 Received: from kithrup.com (kithrup.com [140.174.23.40]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id UAA01245 for ; Tue, 25 Jul 1995 20:21:15 -0700 Received: (from sef@localhost) by kithrup.com (8.6.8/8.6.6) id UAA20861; Tue, 25 Jul 1995 20:18:06 -0700 Date: Tue, 25 Jul 1995 20:18:06 -0700 From: Sean Eric Fagan Message-Id: <199507260318.UAA20861@kithrup.com> To: rgrimes@gndrsh.aac.dev.com Subject: Re: secure/ changes... Newsgroups: kithrup.freebsd.security In-Reply-To: <199507260200.TAA23061.kithrup.freebsd.security@gndrsh.aac.dev.com> References: <199507251051.DAA03749@tale.frihet.com> from "David E. Tweten" at Jul 25, 95 03:51:52 am Organization: Kithrup Enterprises, Ltd. Cc: security@freebsd.org, mark@grondar.za, pst@stupi.se Sender: security-owner@freebsd.org Precedence: bulk In article <199507260200.TAA23061.kithrup.freebsd.security@gndrsh.aac.dev.com> you write: You're a bright guy, Rod, and it's hard for me to say this, but: almost everything in your message was WRONG. >PGP is a one way hash function, it is not encryption software, thus it >does not fall on the munitions lists, thus it is not restricted. PGP is encryption software. It uses RSA. It is a munition. This is why Zimmerman is currently facing a possible Grand Jury indictment, for ITAR violations -- exporting munitions. Perhaps you're thinking of MD5, which is a checksum function, and cannot be used to `decrypt.' (PGP does use MD5, admittedly.) >DES is encryption software, it is on the munitions lists, munitions export >AND import is regulated by the US federal government, both the State >Department, and the Bureau of Alcohol, Tobacco and Firearmgs (ATF) have >regulations controlling imports to the US of any and all ``munitions''. The first line is correct. The first part of the second line is incorrect. You can import as much encryption software as you want, *PROVIDED* it wasn't illegal exported. (I don't understand why that is the case.) I verified this today with someone who makes his living working on encryption software, and I promise you: he's dealt with all of the regulations and paperwork before, and has even *gotten* the correct paperwork to export certain items. >Various import and export paper work from UPS, Federal Express, and DLH >all state that ``firearms'' and or ``munitions'' are regulated for import >and export and require special paper work. Generally this reads: >``We accept shipments of firearms when either the shipper or recipient >is a lincensed manufacturer, licensed importer, licensed dealer or licensed >collector who is not prohibited from such shipments by federal, state or >local regulations.'' UPS, Federal Express, and DLH are not the federal government. In addition, "firearms" are a subset of "munitions," and what all the couriers (and the post office) mean by "munitions" are the hardware kind, not software of any sort. >I do not have a direct reference to the State Department munitions list, >or the applicable ATF regulations, but I do assure you they exists, and >they are inforced (reference, Austin Code Works was indited in 1994 by >the US State Department for shipping DES software out of the US on CDROM). I don't think anyone has denied that it is illegal to export DES source code. (It is legal to export binary software that uses DES in certain circumstances.) It is not illegal to import DES. Or PGP. Or any other software that does encryption (given the caveat above). It is not illegal or forbidden to ship encryption software domesticly, via the US Postal Service, or any of the couriers. If I understand things correctly, Canada and Mexico may also be allowed, but I'm not sure. I verified all of this today with someone who's had to deal with the regulations. Have you? Sean. From owner-freebsd-security Tue Jul 25 22:59:11 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id WAA06052 for security-outgoing; Tue, 25 Jul 1995 22:59:11 -0700 Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id WAA06045 for ; Tue, 25 Jul 1995 22:59:07 -0700 Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.11/8.6.9) id WAA24037; Tue, 25 Jul 1995 22:58:54 -0700 From: "Rodney W. Grimes" Message-Id: <199507260558.WAA24037@gndrsh.aac.dev.com> Subject: Re: secure/ changes... To: sef@kithrup.com (Sean Eric Fagan) Date: Tue, 25 Jul 1995 22:58:54 -0700 (PDT) Cc: security@freebsd.org, mark@grondar.za, pst@stupi.se In-Reply-To: <199507260318.UAA20861@kithrup.com> from "Sean Eric Fagan" at Jul 25, 95 08:18:06 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 5501 Sender: security-owner@freebsd.org Precedence: bulk > > In article <199507260200.TAA23061.kithrup.freebsd.security@gndrsh.aac.dev.com> you write: > You're a bright guy, Rod, and it's hard for me to say this, but: almost > everything in your message was WRONG. > > >PGP is a one way hash function, it is not encryption software, thus it > >does not fall on the munitions lists, thus it is not restricted. > > PGP is encryption software. It uses RSA. It is a munition. This is why > Zimmerman is currently facing a possible Grand Jury indictment, for ITAR > violations -- exporting munitions. :-( > Perhaps you're thinking of MD5, which is a checksum function, and cannot be > used to `decrypt.' (PGP does use MD5, admittedly.) Yes, your right, I was thinking of MD5. > >DES is encryption software, it is on the munitions lists, munitions export > >AND import is regulated by the US federal government, both the State > >Department, and the Bureau of Alcohol, Tobacco and Firearmgs (ATF) have > >regulations controlling imports to the US of any and all ``munitions''. > > The first line is correct. The first part of the second line is incorrect. No, it is NOT wrong. import is regulated, period, ALL imports are regulated, they must pass through US customs. Many things are not restricted for import, but non the less, importing is a regulated operation, period. I may be wrong that munitions are restricted from import, but I am not wrong that they are regulated. > You can import as much encryption software as you want, *PROVIDED* it wasn't > illegal exported. (I don't understand why that is the case.) > > I verified this today with someone who makes his living working on > encryption software, and I promise you: he's dealt with all of the > regulations and paperwork before, and has even *gotten* the correct > paperwork to export certain items. He is A) not a lawyer, B) not a AFT representive and C) not a State Department representitive. His ``interpretation'' of the law, though probably carrying more weith than mine, is not a statement of fact, it is one of his opinion. He may have done export, but has he looked at the import issue, it probably takes just as much paper work :-(. Also you have to look at the applicable laws from where the goods originate, even if US law does not restrict the import of DES, the laws of many other contries forbid it's export. > >Various import and export paper work from UPS, Federal Express, and DLH > >all state that ``firearms'' and or ``munitions'' are regulated for import > >and export and require special paper work. Generally this reads: > >``We accept shipments of firearms when either the shipper or recipient > >is a lincensed manufacturer, licensed importer, licensed dealer or licensed > >collector who is not prohibited from such shipments by federal, state or > >local regulations.'' > > UPS, Federal Express, and DLH are not the federal government. In addition, > "firearms" are a subset of "munitions," and what all the couriers (and the > post office) mean by "munitions" are the hardware kind, not software of any > sort. No, that is why they add that final all cover sentence, they are protecting theselves with ``who is not prohibited from such shipments by federal, state or local regulations.'' I am prohibited by Federal law from exporting DES, so UPS/FedEX and all the others have covered there ass with the above. > >I do not have a direct reference to the State Department munitions list, > >or the applicable ATF regulations, but I do assure you they exists, and > >they are inforced (reference, Austin Code Works was indited in 1994 by > >the US State Department for shipping DES software out of the US on CDROM). > > I don't think anyone has denied that it is illegal to export DES source > code. (It is legal to export binary software that uses DES in certain > circumstances.) Agreed. > It is not illegal to import DES. Or PGP. Or any other software that does > encryption (given the caveat above). I disagree. > It is not illegal or forbidden to ship encryption software domesticly, via > the US Postal Service, or any of the couriers. If I understand things > correctly, Canada and Mexico may also be allowed, but I'm not sure. I didn't even mention domestic, I was quoteing chapter and verse from the internation shippers guide of Fed Ex. My UPS internation guide has very similiar statements in it. Canada and Mexico still go through customs, so though it may be allowed, it will be regulated. > I verified all of this today with someone who's had to deal with the > regulations. Have you? See above. And no, but I do deal with US customs paper work on a weekly basis, just ask a few of my international customers. And if you want to make a real point, go get the AFT and State department's import/export stuff, and talk with _THEM_ about imports. Not some one who has done DES exporting, I know that can be done, it just takes paper work (on a per copy basis, I know all about it, been there done that, is what _NO_ one has done is go try to find out exactly what paper work customs want to allow the stuff accross the boarder if you clearly point them at the fact this stuff _is_ on the munitions list). You might just be in for a very big suprize, or I might be all wet. But I am not willing to risk Grand Jury indictment on this here say information. -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD From owner-freebsd-security Wed Jul 26 00:08:37 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id AAA08886 for security-outgoing; Wed, 26 Jul 1995 00:08:37 -0700 Received: from ibp.ibp.fr (ibp.ibp.fr [132.227.60.30]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id AAA08880 for ; Wed, 26 Jul 1995 00:08:36 -0700 Received: from blaise.ibp.fr (blaise.ibp.fr [132.227.60.1]) by ibp.ibp.fr (8.6.12/jtpda-5.0) with ESMTP id JAA09416 ; Wed, 26 Jul 1995 09:08:34 +0200 Received: from (roberto@localhost) by blaise.ibp.fr (8.6.12/jtpda-5.0) id JAA11579 ; Wed, 26 Jul 1995 09:08:33 +0200 From: roberto@blaise.ibp.fr (Ollivier Robert) Message-Id: <199507260708.JAA11579@blaise.ibp.fr> Subject: Re: Firewall log conversion utility.... To: gary@palmer.demon.co.uk (Gary Palmer) Date: Wed, 26 Jul 1995 09:08:32 +0200 (MET DST) Cc: security@freebsd.org In-Reply-To: <265.806722466@palmer.demon.co.uk> from "Gary Palmer" at Jul 26, 95 02:34:26 am X-Operating-System: FreeBSD 2.2-CURRENT ctm#880 X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 409 Sender: security-owner@freebsd.org Precedence: bulk > Anyone else want to see something like this? If so, I'll tidy up my > version a bit and send it out... (it's kinda messy at the moment, > being my first perl script to touch on doing non-string operations, > like getservbyport() :-) ) I'm interested, please send it. -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@FreeBSD.ORG FreeBSD 2.2-CURRENT #5: Fri Jul 14 12:28:04 MET DST 1995 From owner-freebsd-security Wed Jul 26 00:12:19 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id AAA09103 for security-outgoing; Wed, 26 Jul 1995 00:12:19 -0700 Received: from ibp.ibp.fr (ibp.ibp.fr [132.227.60.30]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id AAA09097 ; Wed, 26 Jul 1995 00:12:17 -0700 Received: from blaise.ibp.fr (blaise.ibp.fr [132.227.60.1]) by ibp.ibp.fr (8.6.12/jtpda-5.0) with ESMTP id JAA09428 ; Wed, 26 Jul 1995 09:11:28 +0200 Received: from (roberto@localhost) by blaise.ibp.fr (8.6.12/jtpda-5.0) id JAA11590 ; Wed, 26 Jul 1995 09:11:27 +0200 From: roberto@blaise.ibp.fr (Ollivier Robert) Message-Id: <199507260711.JAA11590@blaise.ibp.fr> Subject: Re: secure/ changes... To: rgrimes@gndrsh.aac.dev.com (Rodney W. Grimes) Date: Wed, 26 Jul 1995 09:11:27 +0200 (MET DST) Cc: tweten@frihet.com, mark@grondar.za, pst@stupi.se, rgrimes@freebsd.org, security@freebsd.org, freebsd-foreign-secure@grondar.za In-Reply-To: <199507260200.TAA23061@gndrsh.aac.dev.com> from "Rodney W. Grimes" at Jul 25, 95 07:00:05 pm X-Operating-System: FreeBSD 2.2-CURRENT ctm#880 X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 429 Sender: security-owner@freebsd.org Precedence: bulk > > PGP is a one way hash function, it is not encryption software, thus it > does not fall on the munitions lists, thus it is not restricted. I beg your pardon ? PGP is a full-blown encryption program with IDEA as private-key system and RSA as public-key... You probably think of MD5... -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@FreeBSD.ORG FreeBSD 2.2-CURRENT #5: Fri Jul 14 12:28:04 MET DST 1995 From owner-freebsd-security Wed Jul 26 03:43:00 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id DAA14786 for security-outgoing; Wed, 26 Jul 1995 03:43:00 -0700 Received: from tale.frihet.com (ns.frihet.com [165.227.57.1]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id DAA14778 ; Wed, 26 Jul 1995 03:42:50 -0700 Received: from localhost.frihet.com (tweten@localhost.frihet.com [127.0.0.1]) by tale.frihet.com (8.6.10/8.6.6) with SMTP id DAA08423; Wed, 26 Jul 1995 03:41:19 -0700 Message-Id: <199507261041.DAA08423@tale.frihet.com> X-Authentication-Warning: tale.frihet.com: Host localhost.frihet.com didn't use HELO protocol X-Mailer: exmh version 1.5.3 12/28/94 Reply-To: "David E. Tweten" To: "Rodney W. Grimes" cc: mark@grondar.za, pst@stupi.se, rgrimes@FreeBSD.ORG, security@FreeBSD.ORG, freebsd-foreign-secure@grondar.za Subject: Re: secure/ changes... Mime-Version: 1.0 Content-Type: application/pgp ; format=text ; x-action=signclear Date: Wed, 26 Jul 1995 03:41:18 -0700 From: "David E. Tweten" Sender: security-owner@FreeBSD.ORG Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Rodney W. Grimes wrote: > PGP is a one way hash function, it is not encryption software, thus it > does not fall on the munitions lists, thus it is not restricted. Bzzzt! Wrong! PGP uses the RSA public key algorythm, the IDEA private key algorythm and the MD5 secure hash algorythm to provide a reasonably efficient implementation of public key cryptography and digital signature. As such, it does come under munitions restrictions. If you don't believe me, ask the Federal Prosecutor in San Jose, California, and Phil Zimmermann's lawyer. PGP's author, Zimmermann, is currently under investigation for violation of exactly the munitions regulations you mentioned, by virtue of the fact that an early version of PGP escaped the U.S. via anonymous FTP. That's *exportation*. > DES is encryption software, it is on the munitions lists, munitions export > AND import is regulated by the US federal government, both the State > Department, and the Bureau of Alcohol, Tobacco and Firearmgs (ATF) have > regulations controlling imports to the US of any and all ``munitions''. As it turns out, the IDEA algorythm (invented in Europe, and imported into the U.S. with no restrictions, except as relates to subsequent re-exportation) is a direct, and apparently superior, competitor to DES. Instead of a 56-bit key, IDEA uses a 128-bit key. Unlike DES, IDEA is reputed to be impervious to any attack short of guessing its key. And IDEA is an integral part of PGP. > Various import and export paper work from UPS, Federal Express, and DLH > all state that ``firearms'' and or ``munitions'' are regulated for import > and export and require special paper work. Munitions imports may well be regulated (through Commerce, if my memory serves), but those regulations are so light as not to be noticible for cryptographic software. > I do not have a direct reference to the State Department munitions list, > or the applicable ATF regulations, but I do assure you they exists, and > they are inforced (reference, Austin Code Works was indited in 1994 by > the US State Department for shipping DES software out of the US on CDROM). As you point out, exportation of crypto, even the relatively innocuous and widely published DES, is strictly (and irrationally) regulated. You are still the only person who I have ever seen maintain that crypto *importation* is restricted in the U.S. That is in contrast to a flood of evidence I've seen to suggest the opposite. Care to reconsider? - -- David E. Tweten | PGP Key fingerprint = | tweten@frihet.com 12141 Atrium Drive | E9 59 E7 5C 6B 88 B8 90 | tweten@and.com Saratoga, CA 95070-3162 | 65 30 2A A4 A0 BC 49 AE | (408) 446-4131 The only flags worth saluting are those you are permitted to burn. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMBYbwMfwvsV7F2dJAQF63gf+KRMm4vZhxRvQMjROIkppXhRGnZpIqNsZ uHp6RjeVUzbN5/LxeIQQGoz3hk3x5zAnn30QOJWlXy9AeJ+T88S9hPYtnhmvClge SBoeid+aNicjTdW19bMlWg+0jcdm496mgQgh8ERWHwbCyxYehWPA2ehqn7gQroDO mql9qxQH4dI7GHady+6smceKB1finrteV6TizNwFM9IUTF/jb21ckoYc6bRXdztz T8DpIMSa0FMoZCpN8JUhuGEgSdL1sEzqtnUx7UYYgrEhQMsphw+IF/kUIvAMnPrS W8zk+5/MUaTx/eCyYfO3VO+2Iqgo1ucwTZCqXJkOv3OUk7lWlEyGkQ== =uUVJ -----END PGP SIGNATURE----- From owner-freebsd-security Wed Jul 26 04:08:01 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id EAA15659 for security-outgoing; Wed, 26 Jul 1995 04:08:01 -0700 Received: from tale.frihet.com (ns.frihet.com [165.227.57.1]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id EAA15651 for ; Wed, 26 Jul 1995 04:07:56 -0700 Received: from localhost.frihet.com (tweten@localhost.frihet.com [127.0.0.1]) by tale.frihet.com (8.6.10/8.6.6) with SMTP id EAA08554; Wed, 26 Jul 1995 04:07:19 -0700 Message-Id: <199507261107.EAA08554@tale.frihet.com> X-Authentication-Warning: tale.frihet.com: Host localhost.frihet.com didn't use HELO protocol X-Mailer: exmh version 1.5.3 12/28/94 Reply-To: "David E. Tweten" To: Sean Eric Fagan cc: rgrimes@gndrsh.aac.dev.com, security@freebsd.org, mark@grondar.za, pst@stupi.se Subject: Re: secure/ changes... Mime-Version: 1.0 Content-Type: application/pgp ; format=text ; x-action=signclear Date: Wed, 26 Jul 1995 04:07:18 -0700 From: "David E. Tweten" Sender: security-owner@freebsd.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Sean Eric Fagan writes: > You can import as much encryption software as you want, *PROVIDED* it wasn't > illegal exported. (I don't understand why that is the case.) Another interresting assertion. If true, all the people who download their copies of MIT PGP from off-shore are in violation. That prospect doesn't seem to worry any of the scores of people who post to alt.security.pgp about their adventures doing so. As with Rod's import assertion, yours is the first assertion I've seen that there is any dependency on kind of previous export. The only restriction on import I'm aware of is a requirement to license transit importation. That is, munitions can't be trans-shipped through U.S. territory without a license. The problem, of course, is not really the import half of the transaction, it is the export half. I'd appreciate it if you could recheck your verification and report back to the list. It is important that we U.S. citizens not scare ourselves into believing that our government is more repressive than it actually is. - -- David E. Tweten | PGP Key fingerprint = | tweten@frihet.com 12141 Atrium Drive | E9 59 E7 5C 6B 88 B8 90 | tweten@and.com Saratoga, CA 95070-3162 | 65 30 2A A4 A0 BC 49 AE | (408) 446-4131 The only flags worth saluting are those you are permitted to burn. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMBYh2cfwvsV7F2dJAQH6mQf/RzHfqaomKCpnqDWyt3ObsLxOKtjJO9WQ Kl2t8Z7NvvY8P/bLIK2MJ7iP8HwUP/lNr2jFvxoenG7eI+p6iEzLc+OSSGpT7LxW 3LPbtAfqG0smHT3hoiwe1pJhRc5qCA/vXI6bJs9TzCE+/b3g2QbOmBO2kn4x/h/D w5OuZbaxqS77IQh6HW56cJQXvtn3EVexuIM/zplhd0EqHRHfj6sq+6wtBfZw79V2 +YoPoVLjZVK+wLbek/loivyZPWAOlPRt3HwT8iLXlAeMltesJ1qsbpbyMOn3321L MeUAeGOt4e1f3pidcgQon0DdUaanGQ8ivqolawkvZo6s961N6t/wbw== =aGAZ -----END PGP SIGNATURE----- From owner-freebsd-security Wed Jul 26 04:49:54 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id EAA16654 for security-outgoing; Wed, 26 Jul 1995 04:49:54 -0700 Received: from tale.frihet.com (ns.frihet.com [165.227.57.1]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id EAA16631 for ; Wed, 26 Jul 1995 04:49:43 -0700 Received: from localhost.frihet.com (tweten@localhost.frihet.com [127.0.0.1]) by tale.frihet.com (8.6.10/8.6.6) with SMTP id EAA08682; Wed, 26 Jul 1995 04:49:10 -0700 Message-Id: <199507261149.EAA08682@tale.frihet.com> X-Authentication-Warning: tale.frihet.com: Host localhost.frihet.com didn't use HELO protocol X-Mailer: exmh version 1.5.3 12/28/94 Reply-To: "David E. Tweten" To: "Rodney W. Grimes" cc: sef@kithrup.com (Sean Eric Fagan), security@freebsd.org, mark@grondar.za, pst@stupi.se Subject: Re: secure/ changes... Mime-Version: 1.0 Content-Type: application/pgp ; format=text ; x-action=signclear Date: Wed, 26 Jul 1995 04:49:10 -0700 From: "David E. Tweten" Sender: security-owner@freebsd.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Referring to crypto imports, Rodney W. Grimes wrote: > Also you have to look at the applicable > laws from where the goods originate, even if US law does not restrict the > import of DES, the laws of many other contries forbid it's export. Point well taken. In fact, several countries (notably France and Russia) make simple posession and use of crypto software illegal without a license, much less export (and good luck trying to get the license). South Africa and the Netherlands, on the other hand seem to have no restrictions on posession or export, which is why anonymous ftp sites for crypto tend to be in those two countries. > Not some one who has done > DES exporting, I know that can be done, it just takes paper work (on a > per copy basis, I know all about it, been there done that, is what > _NO_ one has done is go try to find out exactly what paper work customs > want to allow the stuff accross the boarder if you clearly point them > at the fact this stuff _is_ on the munitions list). If my memory serves, Prof. Matt Bishop, of U.C. Davis (a nationally recoginized computer security type) did something like what you suggest. He tried to temporarily export an AT&T secure phone containing a Clipper chip. He found that Customs was supposed to be the agency with the appropriate paperwork, the local Customs office said the folks at the airport would have the necessary forms, and that the Customs folks at the airport weren't interested. He finally got the airport Customs head honcho to write him a note saying it was okay, and presented that note upon his return. His paper on the subject made amusing reading. > You might just be > in for a very big suprize, or I might be all wet. But I am not willing > to risk Grand Jury indictment on this here say information. I'll suggest that since your opinion on crypto import is a minority (of one) opinion on the net (at least as I observe the net), the burden of proof is yours. If you would like to sample the net conventional wisdom on the subject, just follow any crypto-related news group for a week or so. - -- David E. Tweten | PGP Key fingerprint = | tweten@frihet.com 12141 Atrium Drive | E9 59 E7 5C 6B 88 B8 90 | tweten@and.com Saratoga, CA 95070-3162 | 65 30 2A A4 A0 BC 49 AE | (408) 446-4131 The only flags worth saluting are those you are permitted to burn. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMBYrqMfwvsV7F2dJAQEarwf9H7muBnqhzgLsQodLvlYrKAGJDdyDWW8a tJcFlVZ5eTTkrzRlTE232frWttHpW9AG5nPEFLPSo61CVnCHTO32hpzUJ9cxnvFj fTPfj+Ftvy95SSf8Y5c/b+/uM0aoF6A3jTsVh9frd0Dr0Mao2DZfkfr+QBVxd3pQ 4yCh7LqwEgUN9hzyJXWXFjNtl6+WU3zQObd4TiZTuQSU9l0P72I0Br/qxo2Sf0q/ RzZyuo2lcfFOhipkc5ayAzenqsaaYYqsN9ttzpDL9rQ4qkE1ISM2WCIE+8h5loN4 YICmbLT+ClEYriYb+fvZm5KqfuqreLD/x9O3fLB5AFJPMh6Q62/PUg== =o4Pd -----END PGP SIGNATURE----- From owner-freebsd-security Wed Jul 26 05:05:50 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id FAA17499 for security-outgoing; Wed, 26 Jul 1995 05:05:50 -0700 Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id FAA17492 ; Wed, 26 Jul 1995 05:05:43 -0700 Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.11/8.6.9) id FAA25100; Wed, 26 Jul 1995 05:04:43 -0700 From: "Rodney W. Grimes" Message-Id: <199507261204.FAA25100@gndrsh.aac.dev.com> Subject: Re: secure/ changes... To: tweten@frihet.com Date: Wed, 26 Jul 1995 05:04:42 -0700 (PDT) Cc: mark@grondar.za, pst@stupi.se, rgrimes@FreeBSD.ORG, security@FreeBSD.ORG, freebsd-foreign-secure@grondar.za In-Reply-To: <199507261041.DAA08423@tale.frihet.com> from "David E. Tweten" at Jul 26, 95 03:41:18 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 5091 Sender: security-owner@FreeBSD.ORG Precedence: bulk > > -----BEGIN PGP SIGNED MESSAGE----- > > Rodney W. Grimes wrote: > > PGP is a one way hash function, it is not encryption software, thus it > > does not fall on the munitions lists, thus it is not restricted. > > Bzzzt! Wrong! PGP uses the RSA public key algorythm, the IDEA private key > algorythm and the MD5 secure hash algorythm to provide a reasonably efficient > implementation of public key cryptography and digital signature. As such, it > does come under munitions restrictions. If you don't believe me, ask the > Federal Prosecutor in San Jose, California, and Phil Zimmermann's lawyer. > PGP's author, Zimmermann, is currently under investigation for violation of > exactly the munitions regulations you mentioned, by virtue of the fact that > an > early version of PGP escaped the U.S. via anonymous FTP. > That's *exportation*. > I have already replied that I had crossed my wires between PGP and MD5. I am not an export on what all this different software is, does, or how it works, but I do know a fair bit of ``law'' and play the import export business week to week. We are all in agreement that A) DES and cryptography software is on the munitions lists, B) that _export_ of munitions is restricted by at least 1 US Federal law and C) all imports and exports must pass through customs, and thus are at least ``regulated'' [I think we all agree this last one is true, note the world ``regulated'' vs ``restricted'', very important.] > > DES is encryption software, it is on the munitions lists, munitions export > > AND import is regulated by the US federal government, both the State > > Department, and the Bureau of Alcohol, Tobacco and Firearmgs (ATF) have > > regulations controlling imports to the US of any and all ``munitions''. > > As it turns out, the IDEA algorythm (invented in Europe, and imported into > the > U.S. with no restrictions, except as relates to subsequent re-exportation) is > a direct, and apparently superior, competitor to DES. Instead of a 56-bit > key, IDEA uses a 128-bit key. Unlike DES, IDEA is reputed to be impervious > to > any attack short of guessing its key. And IDEA is an integral part of PGP. The quality of algorithms is not a factor to this discussion :-). I could write a crypto package that a 10 year old could crack, it could very well fall under the same ``restrictions'' as DES. There is no statement of algorithm strength in the law :-(. > > Various import and export paper work from UPS, Federal Express, and DLH > > all state that ``firearms'' and or ``munitions'' are regulated for import > > and export and require special paper work. > > Munitions imports may well be regulated (through Commerce, if my memory > serves), but those regulations are so light as not to be noticible for > cryptographic software. Yes, all importing is regulated by at least Commerce, and then depending on just what it is there are a whole other pile of things that can regulate it. Textiles import, belive it or not, can be a royal mess to deal with. As can petroleum products, or any thing subject to import taxation. Importing firearms is very well regulated, you just try to get a shipment pass US import customs with ``munitions'' on the commercial invoice without all the proper paper work. They may very overlook DES labeled as floppy disks, or software, but label as munitions is going to raise a big red flag. > > I do not have a direct reference to the State Department munitions list, > > or the applicable ATF regulations, but I do assure you they exists, and > > they are inforced (reference, Austin Code Works was indited in 1994 by > > the US State Department for shipping DES software out of the US on CDROM). > > As you point out, exportation of crypto, even the relatively innocuous and > widely published DES, is strictly (and irrationally) regulated. You are > still > the only person who I have ever seen maintain that crypto *importation* is > restricted in the U.S. That is in contrast to a flood of evidence I've seen > to suggest the opposite. But do you have _solid_ evidence, and have you dealt first hand with import and export paper work? Do you know what a Commercial Invoice is? Are you aware that any US import without either a SSN or EIN of the recipient on the import paper work will be held by customs until that information is provided (imports of $1250 that is)? Do you have any idea what a**es US customs can be on the tiniest detail? > > Care to reconsider? No, as no _solid_ evidence has been presented, this is all here say. Show me a Commercial Invoice for a US import shipment that clearly marks it as containing munitions in the form of DES and I'll buy it. Or show me that DES is _not_ restricted for import in a US commerce, AFT, or State department import documentation, then I will reconsider my point of view. Or show me an import ``expert'' who agrees with your conclusions. -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD From owner-freebsd-security Wed Jul 26 05:09:55 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id FAA17686 for security-outgoing; Wed, 26 Jul 1995 05:09:55 -0700 Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id FAA17680 for ; Wed, 26 Jul 1995 05:09:52 -0700 Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.11/8.6.9) id FAA25150; Wed, 26 Jul 1995 05:09:31 -0700 From: "Rodney W. Grimes" Message-Id: <199507261209.FAA25150@gndrsh.aac.dev.com> Subject: Re: secure/ changes... To: tweten@frihet.com Date: Wed, 26 Jul 1995 05:09:31 -0700 (PDT) Cc: sef@kithrup.com, security@freebsd.org, mark@grondar.za, pst@stupi.se In-Reply-To: <199507261107.EAA08554@tale.frihet.com> from "David E. Tweten" at Jul 26, 95 04:07:18 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1688 Sender: security-owner@freebsd.org Precedence: bulk > > -----BEGIN PGP SIGNED MESSAGE----- > > Sean Eric Fagan writes: > > You can import as much encryption software as you want, *PROVIDED* it wasn't > > illegal exported. (I don't understand why that is the case.) > > Another interresting assertion. If true, all the people who download their > copies of MIT PGP from off-shore are in violation. That prospect doesn't seem > to worry any of the scores of people who post to alt.security.pgp about their > adventures doing so. As with Rod's import assertion, yours is the first > assertion I've seen that there is any dependency on kind of previous export. > > The only restriction on import I'm aware of is a requirement to license > transit importation. That is, munitions can't be trans-shipped through U.S. > territory without a license. The problem, of course, is not really the > import half of the transaction, it is the export half. And any US import involves an _export_ from some other country, so you have to look at that as well. The US is far from the only country with crypto sofware as a restricted export. > I'd appreciate it if you could recheck your verification and report back to > the list. It is important that we U.S. citizens not scare ourselves into > believing that our government is more repressive than it actually is. The US government is a very repressive thing, more so than even I care to admit to. Anything that burns up millons of dollars a day regulating people has just gotten out of hand, but this is a whole nother thread. -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD From owner-freebsd-security Wed Jul 26 05:30:44 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id FAA17977 for security-outgoing; Wed, 26 Jul 1995 05:30:44 -0700 Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id FAA17971 for ; Wed, 26 Jul 1995 05:30:41 -0700 Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.11/8.6.9) id FAA25192; Wed, 26 Jul 1995 05:30:19 -0700 From: "Rodney W. Grimes" Message-Id: <199507261230.FAA25192@gndrsh.aac.dev.com> Subject: Re: secure/ changes... To: tweten@frihet.com Date: Wed, 26 Jul 1995 05:30:18 -0700 (PDT) Cc: sef@kithrup.com, security@freebsd.org, mark@grondar.za, pst@stupi.se In-Reply-To: <199507261149.EAA08682@tale.frihet.com> from "David E. Tweten" at Jul 26, 95 04:49:10 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 4224 Sender: security-owner@freebsd.org Precedence: bulk > > -----BEGIN PGP SIGNED MESSAGE----- > > Referring to crypto imports, Rodney W. Grimes wrote: > > Also you have to look at the applicable > > laws from where the goods originate, even if US law does not restrict the > > import of DES, the laws of many other contries forbid it's export. > > Point well taken. In fact, several countries (notably France and Russia) make > simple posession and use of crypto software illegal without a license, much > less export (and good luck trying to get the license). South Africa and the > Netherlands, on the other hand seem to have no restrictions on posession or > export, which is why anonymous ftp sites for crypto tend to be in those two > countries. ``Seem to have no restrictions'' and ``do not have restrictions'' are quite different. One is an opinion or assesment of a situation, the other is a definitive on a situation. I will not risk going to jail or even court over such assesments. > > Not some one who has done > > DES exporting, I know that can be done, it just takes paper work (on a > > per copy basis, I know all about it, been there done that, is what > > _NO_ one has done is go try to find out exactly what paper work customs > > want to allow the stuff accross the boarder if you clearly point them > > at the fact this stuff _is_ on the munitions list). > > If my memory serves, Prof. Matt Bishop, of U.C. Davis (a nationally > recoginized computer security type) did something like what you suggest. He > tried to temporarily export an AT&T secure phone containing a Clipper chip. > He found that Customs was supposed to be the agency with the appropriate > paperwork, the local Customs office said the folks at the airport would have > the necessary forms, and that the Customs folks at the airport weren't > interested. He finally got the airport Customs head honcho to write him a > note saying it was okay, and presented that note upon his return. His paper > on the subject made amusing reading. Proves only one thing, customs can get mighty sloppy at time, and if you don't know how to do exports and imports by the book you will probably defeat yourself in trying to test the hypothisis that importing munitions is regulated. Had he put his ``clipper phone'' in a box and attached a properly written US Commercial Invoice for exportation, and done another one for importation labeling the product as a ``munition'' it would have been looked at very carefully. Since he himself did not even know what paper work you need, nor did he seem to follow the typical government red tape to find out what it was this whole experiment was pretty much a waste of his time. > > You might just be > > in for a very big suprize, or I might be all wet. But I am not willing > > to risk Grand Jury indictment on this here say information. > > I'll suggest that since your opinion on crypto import is a minority (of one) > opinion on the net (at least as I observe the net), the burden of proof is > yours. If you would like to sample the net conventional wisdom on the > subject, just follow any crypto-related news group for a week or so. I have no burden of proof, my opinion and interprettation of the law is mine. I will say I stand 0 chance of being indicted for import law violation, as I simply plan to play it safe. If you folks are willing to play arm chair lawyer and risk going to court of ``seems to'' and ``may not'' and ``possibles'' that is your decission. Me, when it comes to playing games with the law, make damn sure that I play it on the safe side of things. I would need 2 professional opionions before I would import DES code, 1 from a lawyer specilizing in import/export law, preferably with some sited Federal rulings from cases, and the 2nd from a US Customs officier specializing in munitions. Those are 2 opinions I could go get if I so desired to import DES, however I have no desire to waste my time or energy to do this as I already have a legally obtained copy of DES. Simply put, anything less than what I outline above is here say. -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD From owner-freebsd-security Wed Jul 26 05:52:20 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id FAA18605 for security-outgoing; Wed, 26 Jul 1995 05:52:20 -0700 Received: from tale.frihet.com (ns.frihet.com [165.227.57.1]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id FAA18573 for ; Wed, 26 Jul 1995 05:52:16 -0700 Received: from localhost.frihet.com (tweten@localhost.frihet.com [127.0.0.1]) by tale.frihet.com (8.6.10/8.6.6) with SMTP id FAA08981; Wed, 26 Jul 1995 05:51:34 -0700 Message-Id: <199507261251.FAA08981@tale.frihet.com> X-Authentication-Warning: tale.frihet.com: Host localhost.frihet.com didn't use HELO protocol X-Mailer: exmh version 1.5.3 12/28/94 Reply-To: "David E. Tweten" To: "Rodney W. Grimes" cc: sef@kithrup.com, security@freebsd.org, mark@grondar.za, pst@stupi.se Subject: Re: secure/ changes... Mime-Version: 1.0 Content-Type: application/pgp ; format=text ; x-action=signclear Date: Wed, 26 Jul 1995 05:51:33 -0700 From: "David E. Tweten" Sender: security-owner@freebsd.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Rodney W. Grimes writes: > I would need 2 professional opionions > before I would import DES code, 1 from a lawyer specilizing in import/export > law, preferably with some sited Federal rulings from cases, and the 2nd from > a US Customs officier specializing in munitions. > > Those are 2 opinions I could go get if I so desired to import DES, however > I have no desire to waste my time or energy to do this as I already have > a legally obtained copy of DES. > > Simply put, anything less than what I outline above is here say. The following is not hearsay. In my capacity as a software project leader for NASA, under a beta program, I have distributed about a dozen copies of a Unix package called Portable Batch System (PBS). It does no crypto because stub DES routines are included, but its documentation contains references to off-shore sources of DES routines which may be substituted if a beta site actually wants some security. The reason for this twisted state of affairs is to permit exportation of PBS after the beta program is over, and after COSMIC (NASA's software distribution arm) takes PBS off its temporarily sensative (read "new") technology list. Our beta sites (currently a dozen or so) have been importing the DES "munition" as our documentation suggests for over a year. Neither we nor they have experienced any problem, because importation of crypto is not restricted. - -- David E. Tweten | PGP Key fingerprint = | tweten@frihet.com 12141 Atrium Drive | E9 59 E7 5C 6B 88 B8 90 | tweten@and.com Saratoga, CA 95070-3162 | 65 30 2A A4 A0 BC 49 AE | (408) 446-4131 The only flags worth saluting are those you are permitted to burn. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMBY6R8fwvsV7F2dJAQE5zwf+J7sCdz/T5ihFEJxCvBZGGUDOLafpFPL6 giHHnbFhpF/JnqKvQpUtCz+dllLpbt9MzIh0pwAuNGdoWuV5z+FBIYzwYB6b2knJ C070EaBZc6LQ3KUA+3ooqXw1xbYC4UWZsBuFQWQ1MXQdfOCqu2RszScHdz4VsJiL RPi7ZcdYzfeRTKNX8lbwdHAfWj4pFgIQVK14PvevwZTgbxmLRwM/7Hkn4WGHrHsx P/y8XklobtaPiG6S8xz+MURnL1vrpc/xONSOcL5Iyvq80RsZuYktfakeEr2ZZFIe oV7IKlXjXqDNyhG/Bb/bbQRGgyMbDJabNEpE1ugcTsKJ5YihdaOKHQ== =r4qQ -----END PGP SIGNATURE----- From owner-freebsd-security Wed Jul 26 09:34:08 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id JAA26765 for security-outgoing; Wed, 26 Jul 1995 09:34:08 -0700 Received: from jli (jli.portland.or.us [199.2.111.1]) by freefall.cdrom.com (8.6.11/8.6.6) with SMTP id JAA26759 for ; Wed, 26 Jul 1995 09:34:05 -0700 Received: from cumulus by jli with uucp (Smail3.1.28.1 #23) id m0sb9OZ-0001bCC; Wed, 26 Jul 95 09:33 PDT Message-Id: To: security@freebsd.org Subject: Re: secure/ changes... References: <199507261107.EAA08554@tale.frihet.com> In-reply-to: Your message of Wed, 26 Jul 1995 04:07:18 PDT. <199507261107.EAA08554@tale.frihet.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <1882.806776359.1@cloud.rain.com> Date: Wed, 26 Jul 1995 09:32:39 -0700 From: Bill Trost Sender: security-owner@freebsd.org Precedence: bulk Part of what may be causing people to worry about importing encryption software is that some of it is illegal to *use* (and probably import) in the United States. In particular, the international versions of PGP contain their own implementation of RSA, so any use of those versions of PGP are violations of PKP's patents on the algorithm. Keep this in mind when planning what software to import. Both RSA and Diffie-Hell?man are covered by patents (although the latter expires in 1997). In general, though, keeping sources for secure software outside the United States is an *excellent* idea. After all, if you comparison shop for stereos, why not governments as well? From owner-freebsd-security Wed Jul 26 09:55:51 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id JAA27941 for security-outgoing; Wed, 26 Jul 1995 09:55:51 -0700 Received: from kithrup.com (kithrup.com [140.174.23.40]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id JAA27933 for ; Wed, 26 Jul 1995 09:55:50 -0700 Received: (from sef@localhost) by kithrup.com (8.6.8/8.6.6) id JAA02598; Wed, 26 Jul 1995 09:55:43 -0700 Date: Wed, 26 Jul 1995 09:55:43 -0700 From: Sean Eric Fagan Message-Id: <199507261655.JAA02598@kithrup.com> To: trost@cloud.rain.com Subject: Re: secure/ changes... Newsgroups: kithrup.freebsd.security In-Reply-To: References: Your message of Wed, 26 Jul 1995 04:07:18 PDT. <199507261107.EAA08554@tale.frihet.com> Organization: Kithrup Enterprises, Ltd. Cc: security@freebsd.org Sender: security-owner@freebsd.org Precedence: bulk In article you write: >Part of what may be causing people to worry about importing encryption >software is that some of it is illegal to *use* (and probably import) >in the United States. In particular, the international versions of >PGP contain their own implementation of RSA, so any use of those >versions of PGP are violations of PKP's patents on the algorithm. That is a civil issue, not a criminal issue. (Meaning, it's not illegal, the most it would due is land you in a patent-infringement suit.) It is not infringement to have the code, nor to distribute it. It is infringement to use it. (It can also be considered infringement to distribute it with the knowledge and intent that it be used, but that's a derivation of infringement, if I understand correctly and nobody minds me using a bit of mathematical metaphor ;).) It is in no way illegal or infringement to simply import it. From owner-freebsd-security Wed Jul 26 09:57:07 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id JAA28047 for security-outgoing; Wed, 26 Jul 1995 09:57:07 -0700 Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159]) by freefall.cdrom.com (8.6.11/8.6.6) with SMTP id JAA28032 for ; Wed, 26 Jul 1995 09:57:05 -0700 Received: by halloran-eldar.lcs.mit.edu; (5.65/1.1.3.6) id AA08451; Wed, 26 Jul 1995 12:57:00 -0400 Date: Wed, 26 Jul 1995 12:57:00 -0400 From: Garrett Wollman Message-Id: <9507261657.AA08451@halloran-eldar.lcs.mit.edu> To: Bill Trost Cc: security@freebsd.org Subject: Re: secure/ changes... In-Reply-To: References: <199507261107.EAA08554@tale.frihet.com> Sender: security-owner@freebsd.org Precedence: bulk < said: > in the United States. In particular, the international versions of > PGP contain their own implementation of RSA, so any use of those > versions of PGP are violations of PKP's patents on the algorithm. Almost. PKP doesn't hold the patents, just exclusive licensing rights to them. Most of the original patents are held by MIT, Stanford, or both, although I can't remember who has which one. > Keep this in mind when planning what software to import. Both RSA and > Diffie-Hell?man are covered by patents (although the latter expires in > 1997). And public-key cryptography in general is also covered by a patent, which expires this year or next. Unfortunately, nobody has yet found a practical PKE scheme other than RSA. Disclaimer: Although Ron Rivest is indirectly my superior (he is a director of the Lab), I have never met the man and do not speak authoritatively on this subject. -GAWollman -- Garrett A. Wollman | Shashish is simple, it's discreet, it's brief. ... wollman@lcs.mit.edu | Shashish is the bonding of hearts in spite of distance. Opinions not those of| It is a bond more powerful than absence. We like people MIT, LCS, ANA, or NSA| who like Shashish. - Claude McKenzie + Florent Vollant From owner-freebsd-security Wed Jul 26 10:37:18 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id KAA00526 for security-outgoing; Wed, 26 Jul 1995 10:37:18 -0700 Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id KAA00518 for ; Wed, 26 Jul 1995 10:37:14 -0700 Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.11/8.6.9) id KAA25735; Wed, 26 Jul 1995 10:36:48 -0700 From: "Rodney W. Grimes" Message-Id: <199507261736.KAA25735@gndrsh.aac.dev.com> Subject: Re: secure/ changes... To: tweten@frihet.com Date: Wed, 26 Jul 1995 10:36:48 -0700 (PDT) Cc: sef@kithrup.com, security@freebsd.org, mark@grondar.za, pst@stupi.se In-Reply-To: <199507261251.FAA08981@tale.frihet.com> from "David E. Tweten" at Jul 26, 95 05:51:33 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2719 Sender: security-owner@freebsd.org Precedence: bulk > > -----BEGIN PGP SIGNED MESSAGE----- > > Rodney W. Grimes writes: > > I would need 2 professional opionions > > before I would import DES code, 1 from a lawyer specilizing in import/export > > law, preferably with some sited Federal rulings from cases, and the 2nd from > > a US Customs officier specializing in munitions. > > > > Those are 2 opinions I could go get if I so desired to import DES, however > > I have no desire to waste my time or energy to do this as I already have > > a legally obtained copy of DES. > > > > Simply put, anything less than what I outline above is here say. > > The following is not hearsay. > > In my capacity as a software project leader for NASA, under a beta program, I > have distributed about a dozen copies of a Unix package called Portable Batch > System (PBS). It does no crypto because stub DES routines are included, but > its documentation contains references to off-shore sources of DES routines > which may be substituted if a beta site actually wants some security. The > reason for this twisted state of affairs is to permit exportation of PBS > after > the beta program is over, and after COSMIC (NASA's software distribution arm) > takes PBS off its temporarily sensative (read "new") technology list. I will agree, the above statement is not here say. > Our beta sites (currently a dozen or so) have been importing the DES > "munition" as our documentation suggests for over a year. Neither we nor they > have experienced any problem, And even that much of this paragraph is not here say. I have driven at well in excess of 150MPH down a freeway in Oregon and was not stopped or fined for doing so in any way, on numerious occasions, does that mean it is ``legal''. No, it simply means I did not get caught. > because importation of crypto is not restricted. In my book that is here say, you are not in a possition to definativly make that statement. Why? Well, your not a lawyer, your not an import specialist, your not a US Customs officier, your not a representive of the AFT, your not a State Department official. You are a ``software project leader for NASA'', that does not make you an authority on us import law. You can not site (nor can I) chapter and verse from the appropriate documents to assert that statement one way or the other, therefor it is ``here say'' and or an opinion. I will caution you that giving ``legal'' advice with out the proper credintials is a violation of most states BAR regulations, but consult an attorney for full details on that issue. :-) -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD From owner-freebsd-security Wed Jul 26 10:43:04 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id KAA01039 for security-outgoing; Wed, 26 Jul 1995 10:43:04 -0700 Received: from netmail.austin.ibm.com (netmail.austin.ibm.com [129.35.208.98]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id KAA01029 for ; Wed, 26 Jul 1995 10:43:02 -0700 Received: from ozymandias.austin.ibm.com (ozymandias.austin.ibm.com [9.3.29.12]) by netmail.austin.ibm.com (8.6.11/8.6.11) with SMTP id MAA225689; Wed, 26 Jul 1995 12:42:21 -0500 Received: from localhost.austin.ibm.com by ozymandias.austin.ibm.com (AIX 3.2/UCB 5.64/4.03-client-2.6) for pst@stupi.se at austin.ibm.com; id AA17868; Wed, 26 Jul 1995 12:42:02 -0500 Message-Id: <9507261742.AA17868@ozymandias.austin.ibm.com> To: "Rodney W. Grimes" Cc: sef@kithrup.com (Sean Eric Fagan), security@freebsd.org, mark@grondar.za, pst@stupi.se Subject: Re: secure/ changes... In-Reply-To: (Your message of Tue, 25 Jul 1995 22:58:54 CDT.) <199507260558.WAA24037@gndrsh.aac.dev.com> Date: Wed, 26 Jul 1995 12:42:02 -0500 From: Scott Brickner Sender: security-owner@freebsd.org Precedence: bulk "Rodney W. Grimes" writes: >> >Various import and export paper work from UPS, Federal Express, and DLH >> >all state that ``firearms'' and or ``munitions'' are regulated for import >> >and export and require special paper work. Generally this reads: >> >``We accept shipments of firearms when either the shipper or recipient >> >is a lincensed manufacturer, licensed importer, licensed dealer or licensed >> >collector who is not prohibited from such shipments by federal, state or >> >local regulations.'' >> >> UPS, Federal Express, and DLH are not the federal government. In addition, >> "firearms" are a subset of "munitions," and what all the couriers (and the >> post office) mean by "munitions" are the hardware kind, not software of any >> sort. > >No, that is why they add that final all cover sentence, they are protecting >theselves with >``who is not prohibited from such shipments by federal, state or >local regulations.'' > >I am prohibited by Federal law from exporting DES, so UPS/FedEX and all >the others have covered there ass with the above. You aren't even reading *this* correctly. In the last part of the sentence, the phrase "such shipments" obviously refers to "shipments of firearms". There's absolutely nothing in the statement you've mentioned which references munitions in general. You've clearly no idea what you're talking about. Point me to any single regulation which both applies to me as a U.S. citizen, and which prohibits me from importing DES or RSA software from a country where possession of such is legal. I can clearly show you (with web pointers, as I did in an earlier message) where *export* and *temporary* import are prohibited. The very same document explicitly disavows its authority to prohibit *permanent* import. >> >I do not have a direct reference to the State Department munitions list, >> >or the applicable ATF regulations, but I do assure you they exists, and >> >they are inforced (reference, Austin Code Works was indited in 1994 by >> >the US State Department for shipping DES software out of the US on CDROM). The munitions list is defined in the International Traffic in Arms Regulations, the full text of which may be found by retrieving: . >> It is not illegal to import DES. Or PGP. Or any other software that does >> encryption (given the caveat above). > >I disagree. You're wrong. It may be illegal to export DES or PGP from some specific countries, but the question we're really discussing here is whether it's appropriate to make the FreeBSD security release available on a server in South Africa, which has no such export control. I maintain that in eight months or so of closely following the issues related to cryptographic prohibitions, I've never heard of any U.S. regulation which prohibits its import. >> It is not illegal or forbidden to ship encryption software domesticly, via >> the US Postal Service, or any of the couriers. If I understand things >> correctly, Canada and Mexico may also be allowed, but I'm not sure. > >I didn't even mention domestic, I was quoteing chapter and verse from the >internation shippers guide of Fed Ex. My UPS internation guide has very >similiar statements in it. Canada and Mexico still go through customs, >so though it may be allowed, it will be regulated. The ITAR also does not cover shipments to Canada. >> I verified all of this today with someone who's had to deal with the >> regulations. Have you? > >See above. And no, but I do deal with US customs paper work on a weekly >basis, just ask a few of my international customers. And if you want to >make a real point, go get the AFT and State department's import/export >stuff, and talk with _THEM_ about imports. Not some one who has done >DES exporting, I know that can be done, it just takes paper work (on a >per copy basis, I know all about it, been there done that, is what >_NO_ one has done is go try to find out exactly what paper work customs >want to allow the stuff accross the boarder if you clearly point them >at the fact this stuff _is_ on the munitions list). You might just be >in for a very big suprize, or I might be all wet. But I am not willing >to risk Grand Jury indictment on this here say information. The broad consensus here seems to be that import of cryptographic equipment is not prohibited. By all means --- prove us wrong, if you can. In general, as I understand the process, to *export* cryptographic equipment, one must first get a "Commodities Jurisdiction" ruling from the Department of Justice which basically says, "this isn't a munition." Typically, a 40 bit keyspace will get one. Once you have the CJ, it's entirely up to the Department of Commerce as to whether your equipment is exportable, and their regulations don't prohibit cryptographic equipment. Since permanent imports are not covered by DoJ's ITAR, you can skip the CJ step for them. This means you only have to deal with DoC, which doesn't prohibit crypto. The only question becomes whether the material is *generally* importable. It wouldn't surprise me if the DoC *generally* prohibits the import of goods which are prohibited from export in the country of origin, but restrictions beyond this would be curious. Now, to cover my own butt, I have to add that I'm not a lawyer, nor do I play one on TV or the net. I *can* read, though, and have read a lot on this subject: often by people who *do* play lawyers on the net. From owner-freebsd-security Wed Jul 26 11:28:51 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id LAA05983 for security-outgoing; Wed, 26 Jul 1995 11:28:51 -0700 Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id LAA05967 for ; Wed, 26 Jul 1995 11:28:48 -0700 Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.11/8.6.9) id LAA26057; Wed, 26 Jul 1995 11:28:33 -0700 From: "Rodney W. Grimes" Message-Id: <199507261828.LAA26057@gndrsh.aac.dev.com> Subject: Re: secure/ changes... To: trost@cloud.rain.com (Bill Trost) Date: Wed, 26 Jul 1995 11:28:33 -0700 (PDT) Cc: security@freebsd.org In-Reply-To: from "Bill Trost" at Jul 26, 95 09:32:39 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1130 Sender: security-owner@freebsd.org Precedence: bulk > > Part of what may be causing people to worry about importing encryption > software is that some of it is illegal to *use* (and probably import) > in the United States. In particular, the international versions of > PGP contain their own implementation of RSA, so any use of those > versions of PGP are violations of PKP's patents on the algorithm. And thus importaton of ``PGP'' is restricted by ``local, state or federal law'', and thus my assertion holds true, it is illegal to import PGP, not for the reason I sited, but none the less still illegal. It is illegal to import anything you can not legally posses(sp). > Keep this in mind when planning what software to import. Both RSA and > Diffie-Hell?man are covered by patents (although the latter expires in > 1997). In general, though, keeping sources for secure software > outside the United States is an *excellent* idea. After all, if you > comparison shop for stereos, why not governments as well? :-) -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD From owner-freebsd-security Wed Jul 26 11:57:12 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id LAA11384 for security-outgoing; Wed, 26 Jul 1995 11:57:12 -0700 Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id LAA11350 for ; Wed, 26 Jul 1995 11:57:05 -0700 Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.11/8.6.9) id LAA26575; Wed, 26 Jul 1995 11:56:02 -0700 From: "Rodney W. Grimes" Message-Id: <199507261856.LAA26575@gndrsh.aac.dev.com> Subject: Re: secure/ changes... To: sjb@austin.ibm.com (Scott Brickner) Date: Wed, 26 Jul 1995 11:56:02 -0700 (PDT) Cc: sef@kithrup.com, security@freebsd.org, mark@grondar.za, pst@stupi.se In-Reply-To: <9507261742.AA17868@ozymandias.austin.ibm.com> from "Scott Brickner" at Jul 26, 95 12:42:02 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 7381 Sender: security-owner@freebsd.org Precedence: bulk > > "Rodney W. Grimes" writes: > >> >Various import and export paper work from UPS, Federal Express, and DLH > >> >all state that ``firearms'' and or ``munitions'' are regulated for import > >> >and export and require special paper work. Generally this reads: > >> >``We accept shipments of firearms when either the shipper or recipient ... > > You aren't even reading *this* correctly. In the last part of the sentence, > the phrase "such shipments" obviously refers to "shipments of firearms". That may be obviouse to you, but that is again you interpretation. Mine differs, leave it at that. > There's absolutely nothing in the statement you've mentioned which references > munitions in general. You've clearly no idea what you're talking about. That tone won't go very far with convincing me or anyone else. Again, ``no idea what you're talking about'' is your opinion, is here say, and is, IMO, incorrect. But you are intitled to your opionion as am I. I don't give a darn if you end up in jail, I do have great concern if I do. > Point me to any single regulation which both applies to me as a U.S. citizen, > and which prohibits me from importing DES or RSA software from a country > where possession of such is legal. I already said I have no reason to go do this leg work, it is _not_ me who wants to import it. > I can clearly show you (with web pointers, as I did in an earlier message) > where *export* and *temporary* import are prohibited. The very same document > explicitly disavows its authority to prohibit *permanent* import. A document explicitly disavowing its authority does not mean there is not another asserting its. This is what makes law so d*mn hard to figure out what is and is not legal. It's is very easy to find things that say this or that is illegal, but it is much harder to search and assertain if some action is legal as you have to do it by 1 of two means, exhaustive search for anything that might make it illegal, or finding case citations with a ruling from at least 2 or 3 courts that clearly show the action was not legal. (1 case does not do it, that is not a ``precedent''.) > >> >I do not have a direct reference to the State Department munitions list, > >> >or the applicable ATF regulations, but I do assure you they exists, and > >> >they are inforced (reference, Austin Code Works was indited in 1994 by > >> >the US State Department for shipping DES software out of the US on CDROM). > > The munitions list is defined in the International Traffic in > Arms Regulations, > the full text of which may be found by retrieving: > . Okay, so you've ruled out one possible place for trouble. I will go read this to increase my understanding of the _export_ side. But this does nothing to convince me about import, since as you already said this document does not cover import. > >> It is not illegal to import DES. Or PGP. Or any other software that does > >> encryption (given the caveat above). > > > >I disagree. > > You're wrong. Your opionion, and it ain't worth squat as your not an authority I will respect on this issue. Look, we disagree on a point of law, I respect your opionion, you go import DES and PGP to your hearts end. It won't effect me one bit, but I will _not_ take a risk like that without better assesment of information from proper legal and/or government agencies. I believe strongly in my right to keep my ass out of jail, and your right to put it there if you want to play fast and loose. > It may be illegal to export DES or PGP from some specific > countries, but the question we're really discussing here is whether it's > appropriate to make the FreeBSD security release available on a server > in South Africa, which has no such export control. I maintain that in > eight months or so of closely following the issues related to cryptographic > prohibitions, I've never heard of any U.S. regulation which prohibits its > import. Because you don't desire to find one. Infact you _desire_ just the opposite, which is, IMHO, a really bad thing to desire when you are tring to assertain that your actions are legal. > >> It is not illegal or forbidden to ship encryption software domesticly, via > >> the US Postal Service, or any of the couriers. If I understand things > >> correctly, Canada and Mexico may also be allowed, but I'm not sure. > > > >I didn't even mention domestic, I was quoteing chapter and verse from the > >internation shippers guide of Fed Ex. My UPS internation guide has very > >similiar statements in it. Canada and Mexico still go through customs, > >so though it may be allowed, it will be regulated. > > The ITAR also does not cover shipments to Canada. > > >> I verified all of this today with someone who's had to deal with the > >> regulations. Have you? > > > >See above. And no, but I do deal with US customs paper work on a weekly > >basis, just ask a few of my international customers. And if you want to > >make a real point, go get the AFT and State department's import/export > >stuff, and talk with _THEM_ about imports. Not some one who has done > >DES exporting, I know that can be done, it just takes paper work (on a > >per copy basis, I know all about it, been there done that, is what > >_NO_ one has done is go try to find out exactly what paper work customs > >want to allow the stuff accross the boarder if you clearly point them > >at the fact this stuff _is_ on the munitions list). You might just be > >in for a very big suprize, or I might be all wet. But I am not willing > >to risk Grand Jury indictment on this here say information. > > The broad consensus here seems to be that import of cryptographic > equipment is not prohibited. By all means --- prove us wrong, if > you can. I have no reason to take any more efforts in proving you or myself wrong or right. A ``broad consensus'' is still here say, and I don't risk my future on here say. > In general, as I understand the process, to *export* cryptographic > equipment, one must first get a "Commodities Jurisdiction" ruling ... Export is not the issue here, we are are all well aware of what it takes to export DES. > Since permanent imports are not covered by DoJ's ITAR, you can > skip the CJ step for them. This means you only have to deal with > DoC, which doesn't prohibit crypto. The only question becomes > whether the material is *generally* importable. It wouldn't > surprise me if the DoC *generally* prohibits the import of goods > which are prohibited from export in the country of origin, but > restrictions beyond this would be curious. > > Now, to cover my own butt, I have to add that I'm not a lawyer, > nor do I play one on TV or the net. I *can* read, though, and > have read a lot on this subject: often by people who *do* play > lawyers on the net. Obtaining legal advice and taking action on such information, IMHO, in this manner is a very dangerous game to play. There are 10000 arm chair lawyers for every 1 real one. I am an arm chair lawyer, but I don't take legal actions based upon my arm chair interpretations, I pay for proper legal advice and/or consult the law books and or agencies myself. -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD From owner-freebsd-security Wed Jul 26 12:30:33 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id MAA16791 for security-outgoing; Wed, 26 Jul 1995 12:30:33 -0700 Received: from netmail.austin.ibm.com (netmail.austin.ibm.com [129.35.208.98]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id MAA16762 for ; Wed, 26 Jul 1995 12:30:26 -0700 Received: from ozymandias.austin.ibm.com (ozymandias.austin.ibm.com [9.3.29.12]) by netmail.austin.ibm.com (8.6.11/8.6.11) with SMTP id OAA233450; Wed, 26 Jul 1995 14:30:17 -0500 Received: from localhost.austin.ibm.com by ozymandias.austin.ibm.com (AIX 3.2/UCB 5.64/4.03-client-2.6) for security@freebsd.org at austin.ibm.com; id AA17859; Wed, 26 Jul 1995 14:30:09 -0500 Message-Id: <9507261930.AA17859@ozymandias.austin.ibm.com> To: Bill Trost Cc: security@freebsd.org Subject: Re: secure/ changes... In-Reply-To: (Your message of Wed, 26 Jul 1995 09:32:39 CDT.) Date: Wed, 26 Jul 1995 14:30:09 -0500 From: Scott Brickner Sender: security-owner@freebsd.org Precedence: bulk In message Bill Trost writes: >Part of what may be causing people to worry about importing encryption >software is that some of it is illegal to *use* (and probably import) >in the United States. In particular, the international versions of >PGP contain their own implementation of RSA, so any use of those >versions of PGP are violations of PKP's patents on the algorithm. Patents prohibit commercial use of the program, though, not private use. From owner-freebsd-security Wed Jul 26 12:33:45 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id MAA17353 for security-outgoing; Wed, 26 Jul 1995 12:33:45 -0700 Received: from netmail.austin.ibm.com (netmail.austin.ibm.com [129.35.208.98]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id MAA17342 for ; Wed, 26 Jul 1995 12:33:42 -0700 Received: from ozymandias.austin.ibm.com (ozymandias.austin.ibm.com [9.3.29.12]) by netmail.austin.ibm.com (8.6.11/8.6.11) with SMTP id OAA229854; Wed, 26 Jul 1995 14:33:32 -0500 Received: from localhost.austin.ibm.com by ozymandias.austin.ibm.com (AIX 3.2/UCB 5.64/4.03-client-2.6) for security@freebsd.org at austin.ibm.com; id AA13266; Wed, 26 Jul 1995 14:33:27 -0500 Message-Id: <9507261933.AA13266@ozymandias.austin.ibm.com> To: "Rodney W. Grimes" Cc: trost@cloud.rain.com (Bill Trost), security@freebsd.org Subject: Re: secure/ changes... In-Reply-To: (Your message of Wed, 26 Jul 1995 11:28:33 CDT.) <199507261828.LAA26057@gndrsh.aac.dev.com> Date: Wed, 26 Jul 1995 14:33:27 -0500 From: Scott Brickner Sender: security-owner@freebsd.org Precedence: bulk In message <199507261828.LAA26057@gndrsh.aac.dev.com> "Rodney W. Grimes" writes >And thus importaton of ``PGP'' is restricted by ``local, state or >federal law'', and thus my assertion holds true, it is illegal >to import PGP, not for the reason I sited, but none the less >still illegal. It is illegal to import anything you can not >legally posses(sp). It's always legal to "possess" PGP in the U.S.. It's only illegal to *use* it for *commercial* purposes. From owner-freebsd-security Wed Jul 26 14:02:05 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id OAA22143 for security-outgoing; Wed, 26 Jul 1995 14:02:05 -0700 Received: from husky.cslab.vt.edu (husky.cs.vt.edu [128.173.41.87]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id OAA22136 for ; Wed, 26 Jul 1995 14:02:00 -0700 Received: (jaitken@localhost) by husky.cslab.vt.edu (8.6.12/8.6.4) id RAA19119; Wed, 26 Jul 1995 17:01:49 -0400 From: Jeff Aitken Message-Id: <199507262101.RAA19119@husky.cslab.vt.edu> Subject: Re: secure/ changes... To: sef@kithrup.com (Sean Eric Fagan) Date: Wed, 26 Jul 1995 17:01:48 -0400 (EDT) Cc: security@freebsd.org In-Reply-To: <199507262041.NAA06772@kithrup.com> from "Sean Eric Fagan" at Jul 26, 95 01:41:36 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 1120 Sender: security-owner@freebsd.org Precedence: bulk > Did you have anything to say? Yes ;) I hit the wrong sequence of keys out of habit and sent the message when I meant not to. Sorry. What I wanted to respond to was: > > Now, to cover my own butt, I have to add that I'm not a lawyer, > > nor do I play one on TV or the net. I *can* read, though, and > > have read a lot on this subject: often by people who *do* play > > lawyers on the net. Although I don't claim to understand much about this whole issue, many of the net.lawyers (and probably a few real ones too ;) think Zimmermann is not guilty, but that hasn't stopped the DoJ from prosecuting him (last I heard). Perhaps Rodney is simply taking the position that he isn't willing to risk it, even if it seems like importing crypto software isn't relaly illegal in all cases. The entire FreeBSD core team has gone to great lengths to avoid any further confrontations with USL, despite the beliefs of many well informed people who thought their lawsuit was groundless/pointless/useless/ frivilous/etc. Perhaps that lesson is carrying over into this issue... Just my $.02 -- Jeff Aitken jaitken@vt.edu From owner-freebsd-security Wed Jul 26 14:24:00 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id OAA23009 for security-outgoing; Wed, 26 Jul 1995 14:24:00 -0700 Received: from grunt.grondar.za (grunt.grondar.za [196.7.18.129]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id OAA22998 for ; Wed, 26 Jul 1995 14:23:51 -0700 Received: from grumble.grondar.za (grumble.grondar.za [196.7.18.130]) by grunt.grondar.za (8.6.11/8.6.9) with ESMTP id XAA14364; Wed, 26 Jul 1995 23:23:38 +0200 Received: from localhost (localhost [127.0.0.1]) by grumble.grondar.za (8.6.11/8.6.9) with SMTP id XAA27515; Wed, 26 Jul 1995 23:23:37 +0200 Message-Id: <199507262123.XAA27515@grumble.grondar.za> X-Authentication-Warning: grumble.grondar.za: Host localhost didn't use HELO protocol To: Jeff Aitken cc: sef@kithrup.com (Sean Eric Fagan), security@freebsd.org Subject: Re: secure/ changes... Date: Wed, 26 Jul 1995 23:23:36 +0200 From: Mark Murray Sender: security-owner@freebsd.org Precedence: bulk > Yes ;) I hit the wrong sequence of keys out of habit and sent the > message when I meant not to. Sorry. What I wanted to respond to was: > > > > Now, to cover my own butt, I have to add that I'm not a lawyer, > > > nor do I play one on TV or the net. I *can* read, though, and > > > have read a lot on this subject: often by people who *do* play > > > lawyers on the net. > > Although I don't claim to understand much about this whole issue, many > of the net.lawyers (and probably a few real ones too ;) think > Zimmermann is not guilty, but that hasn't stopped the DoJ from > prosecuting him (last I heard). Perhaps Rodney is simply taking the > position that he isn't willing to risk it, even if it seems like > importing crypto software isn't relaly illegal in all cases. The > entire FreeBSD core team has gone to great lengths to avoid any further > confrontations with USL, despite the beliefs of many well informed > people who thought their lawsuit was groundless/pointless/useless/ > frivilous/etc. Perhaps that lesson is carrying over into this issue... This debate has been very informative for me. I relised this was a problem, but I did not realise it was difficult as this to research. :-( :-( :-( I have the whole ITAR document now, and it is my intention to STUDY the bugger to see what it says. That should be definitive enough? BTW - and this is a BIIIG `BTW': Are all parties aware that our current DES library was written in Australia? Likewise eBones (By the same author as DES). A different Australian wrote our DES crypt(3) and friends. If we are scared of prosecution, _now_ is the time to divest ourselves of the cruft... M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 From owner-freebsd-security Wed Jul 26 16:16:13 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id QAA26765 for security-outgoing; Wed, 26 Jul 1995 16:16:13 -0700 Received: from netmail.austin.ibm.com (netmail.austin.ibm.com [129.35.208.98]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id QAA26758 for ; Wed, 26 Jul 1995 16:16:09 -0700 Received: from ozymandias.austin.ibm.com (ozymandias.austin.ibm.com [9.3.29.12]) by netmail.austin.ibm.com (8.6.11/8.6.11) with SMTP id SAA216288; Wed, 26 Jul 1995 18:15:40 -0500 Received: from localhost.austin.ibm.com by ozymandias.austin.ibm.com (AIX 3.2/UCB 5.64/4.03-client-2.6) for pst@stupi.se at austin.ibm.com; id AA15729; Wed, 26 Jul 1995 18:15:09 -0500 Message-Id: <9507262315.AA15729@ozymandias.austin.ibm.com> To: "Rodney W. Grimes" Cc: sef@kithrup.com, security@freebsd.org, mark@grondar.za, pst@stupi.se Subject: Re: secure/ changes... In-Reply-To: (Your message of Wed, 26 Jul 1995 11:56:02 CDT.) <199507261856.LAA26575@gndrsh.aac.dev.com> Date: Wed, 26 Jul 1995 18:15:09 -0500 From: Scott Brickner Sender: security-owner@freebsd.org Precedence: bulk "Rodney W. Grimes" writes: >Obtaining legal advice and taking action on such information, IMHO, >in this manner is a very dangerous game to play. There are 10000 >arm chair lawyers for every 1 real one. I am an arm chair lawyer, >but I don't take legal actions based upon my arm chair interpretations, >I pay for proper legal advice and/or consult the law books and or >agencies myself. You seem quite willing to offer us plenty of advice on the legality of crypto import. Okay. We're all aware that you just don't know whether it's legal to import DES. So why bother insisting "it might be illegal"? Sure, it might. It might be illegal to *breathe* given the ridiculously convoluted structure of American law. The question at hand is still, "Should we consider making the FreeBSD foreign security available by ftp?" The advice as to whether or not is illegal is only that --- advice. The final decision is up to whoever owns that server, and will be liable to legal action resulting from running it. He is legally assumed to be competent to judge for himself whose advice he believes. I note for him (whoever he may be) that none of the various mailing lists or newsgroups that would likely discuss the subject have noted import restrictions --- most are comfortable with the position that crypto import is *not* illegal. I further note that the basis for Phil Zimmermann's harrassment is entirely based on the fact that he is claimed to be responsible for the *export* of strong crypto, not it's *import*, which he must necessarily have also done --- IDEA, the symmetric cipher in PGP, originated in Europe. I assert that if such import were illegal, charges agains PRZ would include a violation of such. You, on the other hand, offer merely the fact that lots of stuff is regulated for import and export. We'll leave the server operator to decide for himself. From owner-freebsd-security Wed Jul 26 16:44:23 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id QAA28100 for security-outgoing; Wed, 26 Jul 1995 16:44:23 -0700 Received: from netmail.austin.ibm.com (netmail.austin.ibm.com [129.35.208.98]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id QAA28094 for ; Wed, 26 Jul 1995 16:44:21 -0700 Received: from ozymandias.austin.ibm.com (ozymandias.austin.ibm.com [9.3.29.12]) by netmail.austin.ibm.com (8.6.11/8.6.11) with SMTP id SAA208203; Wed, 26 Jul 1995 18:44:19 -0500 Received: from localhost.austin.ibm.com by ozymandias.austin.ibm.com (AIX 3.2/UCB 5.64/4.03-client-2.6) for security@freebsd.org at austin.ibm.com; id AA18171; Wed, 26 Jul 1995 18:43:50 -0500 Message-Id: <9507262343.AA18171@ozymandias.austin.ibm.com> To: Jeff Aitken Cc: sef@kithrup.com (Sean Eric Fagan), security@freebsd.org Subject: Re: secure/ changes... In-Reply-To: (Your message of Wed, 26 Jul 1995 17:01:48 CDT.) <199507262101.RAA19119@husky.cslab.vt.edu> Date: Wed, 26 Jul 1995 18:43:50 -0500 From: Scott Brickner Sender: security-owner@freebsd.org Precedence: bulk Jeff Aitken writes: >Although I don't claim to understand much about this whole issue, many >of the net.lawyers (and probably a few real ones too ;) think >Zimmermann is not guilty, but that hasn't stopped the DoJ from >prosecuting him (last I heard). Perhaps Rodney is simply taking the >position that he isn't willing to risk it, even if it seems like >importing crypto software isn't relaly illegal in all cases. The >entire FreeBSD core team has gone to great lengths to avoid any further >confrontations with USL, despite the beliefs of many well informed >people who thought their lawsuit was groundless/pointless/useless/ >frivilous/etc. Perhaps that lesson is carrying over into this issue... They aren't prosecuting him, yet. They're just persecuting him. No formal charges have been brought. I assume you bring this up to point out that the legality of the issue is independent from persecution on the issue. True. But the persecution is still based on a specific prohibition --- export of crypto --- under ITAR. ITAR doesn't cover import. Were import illegal, PRZ would also be harrassed for the import of IDEA. He isn't, ergo import is legal. From owner-freebsd-security Wed Jul 26 17:46:22 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id RAA29345 for security-outgoing; Wed, 26 Jul 1995 17:46:22 -0700 Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id RAA29339 for ; Wed, 26 Jul 1995 17:46:19 -0700 Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.11/8.6.9) id RAA27300; Wed, 26 Jul 1995 17:45:42 -0700 From: "Rodney W. Grimes" Message-Id: <199507270045.RAA27300@gndrsh.aac.dev.com> Subject: Re: secure/ changes... To: mark@grondar.za (Mark Murray) Date: Wed, 26 Jul 1995 17:45:42 -0700 (PDT) Cc: jaitken@cslab.vt.edu, sef@kithrup.com, security@freebsd.org In-Reply-To: <199507262123.XAA27515@grumble.grondar.za> from "Mark Murray" at Jul 26, 95 11:23:36 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 3168 Sender: security-owner@freebsd.org Precedence: bulk > > > Yes ;) I hit the wrong sequence of keys out of habit and sent the > > message when I meant not to. Sorry. What I wanted to respond to was: > > > > > > Now, to cover my own butt, I have to add that I'm not a lawyer, > > > > nor do I play one on TV or the net. I *can* read, though, and > > > > have read a lot on this subject: often by people who *do* play > > > > lawyers on the net. > > > > Although I don't claim to understand much about this whole issue, many > > of the net.lawyers (and probably a few real ones too ;) think > > Zimmermann is not guilty, but that hasn't stopped the DoJ from > > prosecuting him (last I heard). Perhaps Rodney is simply taking the > > position that he isn't willing to risk it, even if it seems like > > importing crypto software isn't relaly illegal in all cases. The > > entire FreeBSD core team has gone to great lengths to avoid any further > > confrontations with USL, despite the beliefs of many well informed > > people who thought their lawsuit was groundless/pointless/useless/ > > frivilous/etc. Perhaps that lesson is carrying over into this issue... > > This debate has been very informative for me. I relised this was a problem, > but I did not realise it was difficult as this to research. :-( :-( :-( A weeks time, and a good law library would be a nice place to start. Finding a ``good'' law library that has the right Federal reglatory documents can be real tough to find. Especially if your looking for US documents in za :-(. > I have the whole ITAR document now, and it is my intention to STUDY the > bugger to see what it says. That should be definitive enough? No, as it specifically says it does not apply to permanent import, so it is not the regulatory document to be consulted. This does not mean there is no restriction on import, it simply means ITAR does not cover it. > BTW - and this is a BIIIG `BTW': Are all parties aware that our current > DES library was written in Australia? Likewise eBones (By the same author > as DES). A different Australian wrote our DES crypt(3) and friends. > > If we are scared of prosecution, _now_ is the time to divest ourselves > of the cruft... I raised a big red flag when all that was done and washed my hands of it when it happened, though I did not realize we where bringing in a foreign DES, I thought it was just Bones hacked to work with the DES that came with 4.4BSD. Had I known what actually transpired I would have screamed a little louder, infact a lot louder. I was ``informed'' by the people doing this that it was totally legal, that they had done there homework, and that there would be no problems, so it is there ass on the line here, since I did not participate in the action of doing it. I may be held accountable though as an after the fact accessory, so it is _now_ in my best interest to further the invistigation of the legal status of these actions. Something I do not really want to do, which means it will proceded at a snails passe in the background. -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD From owner-freebsd-security Wed Jul 26 18:13:50 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id SAA29992 for security-outgoing; Wed, 26 Jul 1995 18:13:50 -0700 Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id SAA29985 for ; Wed, 26 Jul 1995 18:13:48 -0700 Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.11/8.6.9) id SAA27356; Wed, 26 Jul 1995 18:13:25 -0700 From: "Rodney W. Grimes" Message-Id: <199507270113.SAA27356@gndrsh.aac.dev.com> Subject: Re: secure/ changes... To: sjb@austin.ibm.com (Scott Brickner) Date: Wed, 26 Jul 1995 18:13:25 -0700 (PDT) Cc: jaitken@cslab.vt.edu, sef@kithrup.com, security@freebsd.org In-Reply-To: <9507262343.AA18171@ozymandias.austin.ibm.com> from "Scott Brickner" at Jul 26, 95 06:43:50 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1775 Sender: security-owner@freebsd.org Precedence: bulk > > Jeff Aitken writes: > >Although I don't claim to understand much about this whole issue, many > >of the net.lawyers (and probably a few real ones too ;) think > >Zimmermann is not guilty, but that hasn't stopped the DoJ from > >prosecuting him (last I heard). Perhaps Rodney is simply taking the > >position that he isn't willing to risk it, even if it seems like > >importing crypto software isn't relaly illegal in all cases. The > >entire FreeBSD core team has gone to great lengths to avoid any further > >confrontations with USL, despite the beliefs of many well informed > >people who thought their lawsuit was groundless/pointless/useless/ > >frivilous/etc. Perhaps that lesson is carrying over into this issue... > > They aren't prosecuting him, yet. They're just persecuting him. > No formal charges have been brought. > > I assume you bring this up to point out that the legality of the > issue is independent from persecution on the issue. True. But > the persecution is still based on a specific prohibition --- > export of crypto --- under ITAR. ITAR doesn't cover import. > Were import illegal, PRZ would also be harrassed for the import > of IDEA. He isn't, ergo import is legal. Your conclusion is not sound, though it may seem ``logical'' to some, it is missing the premise that they don't have to press charges on issues if they don't want to, and that they also often use the strongest charge to get the indictment, then latter add anything and everything they can to that to increase the ``persecution''. Perhaps not only should you go study law, but deductive logic as well :-) :-) -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD From owner-freebsd-security Wed Jul 26 18:18:37 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id SAA00401 for security-outgoing; Wed, 26 Jul 1995 18:18:37 -0700 Received: from husky.cslab.vt.edu (husky.cs.vt.edu [128.173.41.87]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id SAA00391 for ; Wed, 26 Jul 1995 18:18:35 -0700 Received: (jaitken@localhost) by husky.cslab.vt.edu (8.6.12/8.6.4) id VAA19165; Wed, 26 Jul 1995 21:18:25 -0400 From: Jeff Aitken Message-Id: <199507270118.VAA19165@husky.cslab.vt.edu> Subject: Re: secure/ changes... To: sjb@austin.ibm.com (Scott Brickner) Date: Wed, 26 Jul 1995 21:18:25 -0400 (EDT) Cc: jaitken@cslab.vt.edu, sef@kithrup.com, security@freebsd.org In-Reply-To: <9507262343.AA18171@ozymandias.austin.ibm.com> from "Scott Brickner" at Jul 26, 95 06:43:50 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Content-Length: 791 Sender: security-owner@freebsd.org Precedence: bulk > I assume you bring this up to point out that the legality of the > issue is independent from persecution on the issue. True. That was exactly my point. Furthermore, the fact that members of the FreeBSD core team just finished a similar ordeal with USL makes it all the more understandable that at least some of them are hesitant to even approach a "gray" issue like this one. > ITAR doesn't cover import. > Were import illegal, PRZ would also be harrassed for the import > of IDEA. He isn't, ergo import is legal. Although I freely admit that I have little or no knowledge of the issues involved, and that you seem to have a fairly good grasp of them, it is generally a logical fallacy to construe the absence of one fact as proof of another. :) -- Jeff Aitken jaitken@vt.edu From owner-freebsd-security Thu Jul 27 05:03:32 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id FAA19450 for security-outgoing; Thu, 27 Jul 1995 05:03:32 -0700 Received: from tale.frihet.com (ns.frihet.com [165.227.57.1]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id FAA19444 for ; Thu, 27 Jul 1995 05:03:27 -0700 Received: from localhost.frihet.com (tweten@localhost.frihet.com [127.0.0.1]) by tale.frihet.com (8.6.10/8.6.6) with SMTP id EAA12884; Thu, 27 Jul 1995 04:59:55 -0700 Message-Id: <199507271159.EAA12884@tale.frihet.com> X-Authentication-Warning: tale.frihet.com: Host localhost.frihet.com didn't use HELO protocol X-Mailer: exmh version 1.5.3 12/28/94 Reply-To: "David E. Tweten" To: "Rodney W. Grimes" cc: sef@kithrup.com, security@freebsd.org, mark@grondar.za, pst@stupi.se Subject: Re: secure/ changes... Mime-Version: 1.0 Content-Type: application/pgp ; format=text ; x-action=signclear Date: Thu, 27 Jul 1995 04:59:55 -0700 From: "David E. Tweten" Sender: security-owner@freebsd.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Quoting me, Rodney W. Grimes writes: > > Our beta sites (currently a dozen or so) have been importing the DES > > "munition" as our documentation suggests for over a year. Neither we nor they > > have experienced any problem, > > And even that much of this paragraph is not here say. I have driven at > well in excess of 150MPH down a freeway in Oregon and was not stopped > or fined for doing so in any way, on numerious occasions, does that mean it > is ``legal''. No, it simply means I did not get caught. This is beginning to nibble at the edges of the real problem here, the difficulty of proving a negative. To prove a specific act to be not "illegal" in the U.S., in any absolute sense, requires that somebody be prosecuted and convicted for it, and for that conviction to be overturned by the U.S. Supreme Court. In all other circumstances, the act *might* be illegal. After all, the law is what the Supreme Court says it is. Under all other circumstances, one has to ballance the evidence, make a personal judgement and take his chances. Your standard of ballance strikes me as so conservative as to lead to paralysis. It is, of course, your right to inflict paralysis upon yourself. It would be unfortunate if the FreeBSD project were to follow your example. Instead, I'd recommend considering the weight of the evidence, making a judgement, and acting upon it. The evidence, as I've witnessed it is: 1) In a huge flood of net messages (thousands), on lists that care a lot about the legal issues associated with crypto, no message has ever indicated that *importation* of crypto into the U.S. is restricted under U.S. law. 2) MIT's lawyers seem unconcerned that MIT PGP includes *imported* crypto in the form of the IDEA private key algorythm. On the other hand, MIT is taking strong steps to secure its position against attack based upon patent and crypto *export* considerations. That suggests to me that MIT's formidable troup of lawyers has reviewed all aspects of PGP distribution and believes that MIT's crypto *importation* is not a legal problem. 3) A single person on the net, Rodney W. Grimes, is sufficiently worried that *importation* of crypto might be illegal that he recommends against it. He offers no evidence to justify his dissenting position, and instead demands evidence from the overwhelming majority that he is wrong. I don't plan to waste any more time trying to provide him with the evidence. Instead, I intend to ignore his advice on this topic in the future. I recommend that course of action to the FreeBSD project, as well. - -- David E. Tweten | PGP Key fingerprint = | tweten@frihet.com 12141 Atrium Drive | E9 59 E7 5C 6B 88 B8 90 | tweten@and.com Saratoga, CA 95070-3162 | 65 30 2A A4 A0 BC 49 AE | (408) 446-4131 The only flags worth saluting are those you are permitted to burn. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMBd/rcfwvsV7F2dJAQFqxAf/Q6NTI5ELO+q9PO81frD1Tj+Y/JZwoT2l y5pDlV2cS8I5YR5l3KIy/R0Ct8N+Kny8SaDvFabV7WOpsqKTjlLjQGVT8eSM5i/U oxL5s4o/iLY7fIP4vUB5KIIbfAIe6ELY73HpJtweocnGEJ0+kPmsjf5Ty3BI26c/ koH3uqTl9SXi1uWf5FmXnxWRgECj6YDO23QliiqdVqybSAHCIZ76M32qFTAp2keV E/InEA+t7THo3K+0IS8JZFSVrZGTulj/mXHuO6dMYO+4ULaXsrnoO2ZA91fuMqiv AKoFjtnxtkELB/m51/CPKN98CKRXgeiU/DxA46n0kgTRDgX3lJ7BOw== =s3Ip -----END PGP SIGNATURE----- From owner-freebsd-security Thu Jul 27 11:37:18 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id LAA01965 for security-outgoing; Thu, 27 Jul 1995 11:37:18 -0700 Received: from puli.cisco.com (puli.cisco.com [171.69.1.174]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id LAA01959 ; Thu, 27 Jul 1995 11:37:17 -0700 Received: from localhost.cisco.com (localhost.cisco.com [127.0.0.1]) by puli.cisco.com (8.6.8+c/8.6.5) with SMTP id LAA24171; Thu, 27 Jul 1995 11:35:20 -0700 Message-Id: <199507271835.LAA24171@puli.cisco.com> To: "Rodney W. Grimes" Cc: mark@grondar.za (Mark Murray), rgrimes@freebsd.org, security@freebsd.org, freebsd-foreign-secure@grondar.za Subject: Re: secure/ changes... In-Reply-To: Your message of "Mon, 24 Jul 1995 10:23:26 PDT." <199507241723.KAA19257@gndrsh.aac.dev.com> Date: Thu, 27 Jul 1995 11:35:20 -0700 From: Paul Traina Sender: security-owner@freebsd.org Precedence: bulk > As already pointed out no less than 2 times, DES is a munition, importing > munitions is just as regulated as exporting them. DISCLAIMER: I don't know what the hell I'm talking about. While I can see how you came upon this interpretation by following that anology, I am pretty certain that that is -not- the case with DES. I have never heard any of our trade people at cisco or NSA folks I've talked to who deal with this crap raise an issue with importation of DES. Paul From owner-freebsd-security Thu Jul 27 11:57:32 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id LAA02573 for security-outgoing; Thu, 27 Jul 1995 11:57:32 -0700 Received: from mgs.mgsinc.com ([204.183.227.2]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id LAA02566 ; Thu, 27 Jul 1995 11:57:23 -0700 Received: from loc10.mgsinc.com ([204.183.227.10]) by mgs.mgsinc.com (8.6.12/8.6.9) with SMTP id OAA06999; Thu, 27 Jul 1995 14:54:51 -0400 Date: Thu, 27 Jul 95 14:51:14 PDT From: "Michael J. Caughey" Subject: Re: secure/ changes... To: "Rodney W. Grimes" , Paul Traina Cc: Mark Murray , rgrimes@freebsd.org, security@freebsd.org, freebsd-foreign-secure@grondar.za X-Mailer: Chameleon ARM_55, TCP/IP for Windows, NetManage Inc. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: security-owner@freebsd.org Precedence: bulk >DISCLAIMER: I don't know what the hell I'm talking about. > I think the same diclaimer would be fit for me, also. I have the same problem with this whole import thing. I THOUGHT (maybe at my err) that the USA does not want things exported because they want the technology here in the USA not in another governments hands. If they allow things to import like this it can only better us and the USA. From owner-freebsd-security Thu Jul 27 16:51:36 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id QAA14127 for security-outgoing; Thu, 27 Jul 1995 16:51:36 -0700 Received: from eikon.regent.e-technik.tu-muenchen.de (eikon.regent.e-technik.tu-muenchen.de [129.187.42.3]) by freefall.cdrom.com (8.6.11/8.6.6) with SMTP id QAA14120 for ; Thu, 27 Jul 1995 16:51:28 -0700 Received: from vector.eikon.e-technik.tu-muenchen.de ([129.187.142.36]) by eikon.regent.e-technik.tu-muenchen.de with SMTP id <55319>; Fri, 28 Jul 1995 01:50:24 +0200 Received: from localhost (localhost [127.0.0.1]) by vector.eikon.e-technik.tu-muenchen.de (8.6.11/8.6.9) with SMTP id BAA01164; Fri, 28 Jul 1995 01:34:04 +0200 Message-Id: <199507272334.BAA01164@vector.eikon.e-technik.tu-muenchen.de> X-Authentication-Warning: vector.eikon.e-technik.tu-muenchen.de: Host localhost didn't use HELO protocol To: "Rodney W. Grimes" cc: trost@cloud.rain.com (Bill Trost), security@freebsd.org Subject: Re: secure/ changes... In-reply-to: Your message of "Wed, 26 Jul 1995 20:28:33 +0200." <199507261828.LAA26057@gndrsh.aac.dev.com> Date: Fri, 28 Jul 1995 01:34:03 +0200 From: "Julian Stacey " Sender: security-owner@freebsd.org Precedence: bulk > It is illegal to import anything you can not > legally posses(sp). That's a somewhat questionable projection. Few lawyers study logic & civil servants draft laws, reporting to politicians for approval. No one checks the `rule set' of a country's historical accumulation of centuries of law for logical consistency. Julian S From owner-freebsd-security Thu Jul 27 16:52:01 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id QAA14180 for security-outgoing; Thu, 27 Jul 1995 16:52:01 -0700 Received: from eikon.regent.e-technik.tu-muenchen.de (eikon.regent.e-technik.tu-muenchen.de [129.187.42.3]) by freefall.cdrom.com (8.6.11/8.6.6) with SMTP id QAA14157 for ; Thu, 27 Jul 1995 16:51:58 -0700 Received: from vector.eikon.e-technik.tu-muenchen.de ([129.187.142.36]) by eikon.regent.e-technik.tu-muenchen.de with SMTP id <55321>; Fri, 28 Jul 1995 01:50:44 +0200 Received: from localhost (localhost [127.0.0.1]) by vector.eikon.e-technik.tu-muenchen.de (8.6.11/8.6.9) with SMTP id BAA01128; Fri, 28 Jul 1995 01:18:13 +0200 Message-Id: <199507272318.BAA01128@vector.eikon.e-technik.tu-muenchen.de> X-Authentication-Warning: vector.eikon.e-technik.tu-muenchen.de: Host localhost didn't use HELO protocol To: Garrett Wollman cc: Bill Trost , security@freebsd.org Subject: Re: secure/ changes... In-reply-to: Your message of "Wed, 26 Jul 1995 18:57:00 +0200." <9507261657.AA08451@halloran-eldar.lcs.mit.edu> Date: Fri, 28 Jul 1995 01:18:13 +0200 From: "Julian Stacey " Sender: security-owner@freebsd.org Precedence: bulk > And public-key cryptography in general is also covered by a patent, > which expires this year or next. FWIW I know that patents granted by the European Patent Office can be extended, (subject to conditions). I don't know about USA patents, but they may be extendable too. Julian S From owner-freebsd-security Thu Jul 27 17:42:48 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id RAA16466 for security-outgoing; Thu, 27 Jul 1995 17:42:48 -0700 Received: from deep-thought.demos.su (deep-thought.demos.su [192.91.186.133]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id RAA16460 for ; Thu, 27 Jul 1995 17:42:46 -0700 Received: by deep-thought.demos.su id EAA13385; (8.6.11/D) Fri, 28 Jul 1995 04:41:33 +0400 To: mark@grondar.za Cc: security@freebsd.org Message-ID: Organization: DEMOS Date: Fri, 28 Jul 1995 04:41:33 +0400 (MSD) X-Mailer: Mail/@ [v2.40 FreeBSD] From: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= aka "Andrey A. Chernov, Black Mage" X-Class: Fast Subject: security list Lines: 12 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Length: 543 Sender: security-owner@freebsd.org Precedence: bulk It seems thay your majordomo dislikes me already two times, please add ache@freebsd.org manually to foreign-secure... BTW, I found DES library at ftp.lysator.liu.se in pub/libraries, maybe we can grab it and insert into secure/lib/libdes derectly? -- Andrey A. Chernov : And I rest so composedly, /Now, in my bed, ache@astral.msk.su : That any beholder /Might fancy me dead - FidoNet: 2:5020/230.3 : Might start at beholding me, /Thinking me dead. RELCOM Team,FreeBSD Team : E.A.Poe From "For Annie" 1849 From owner-freebsd-security Thu Jul 27 19:59:25 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id TAA21626 for security-outgoing; Thu, 27 Jul 1995 19:59:25 -0700 Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id TAA21620 for ; Thu, 27 Jul 1995 19:59:22 -0700 Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.11/8.6.9) id TAA02155; Thu, 27 Jul 1995 19:58:15 -0700 From: "Rodney W. Grimes" Message-Id: <199507280258.TAA02155@gndrsh.aac.dev.com> Subject: Re: secure/ changes... To: jhs@vector.eikon.e-technik.tu-muenchen.de (Julian Stacey) Date: Thu, 27 Jul 1995 19:58:14 -0700 (PDT) Cc: trost@cloud.rain.com, security@freebsd.org In-Reply-To: <199507272334.BAA01164@vector.eikon.e-technik.tu-muenchen.de> from "Julian Stacey" at Jul 28, 95 01:34:03 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1171 Sender: security-owner@freebsd.org Precedence: bulk > > > > It is illegal to import anything you can not > > legally posses(sp). > That's a somewhat questionable projection. That was not a projection, that is infact in the import law. DoC will not allow you to import anything that would cause you to ``violate a Local, State or Federal law'' by importing it. The Local or State law only applies at the point of import. So if widgit XYZ is legal to posses in California but not in New York I simply route shippment such that the point of import in San Francisco. If it is a Federal law, well, then there aren't such loop holes. > Few lawyers study logic & civil servants draft laws, reporting to politicians > for approval. No one checks the `rule set' of a country's historical > accumulation of centuries of law for logical consistency. This has nothing to do with logic, or deductive reasoning. It was a rewording of the applicable import regulations. Note that regulations are not necessarily law, and are often created by yet another bueracracy(sp). -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD From owner-freebsd-security Thu Jul 27 22:58:25 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id WAA27406 for security-outgoing; Thu, 27 Jul 1995 22:58:25 -0700 Received: from grunt.grondar.za (grunt.grondar.za [196.7.18.129]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id WAA27398 for ; Thu, 27 Jul 1995 22:58:13 -0700 Received: from grumble.grondar.za (grumble.grondar.za [196.7.18.130]) by grunt.grondar.za (8.6.11/8.6.9) with ESMTP id HAA17418; Fri, 28 Jul 1995 07:58:05 +0200 Received: from localhost (localhost [127.0.0.1]) by grumble.grondar.za (8.6.11/8.6.9) with SMTP id HAA03320; Fri, 28 Jul 1995 07:58:04 +0200 Message-Id: <199507280558.HAA03320@grumble.grondar.za> X-Authentication-Warning: grumble.grondar.za: Host localhost didn't use HELO protocol To: ache@astral.msk.su cc: security@freebsd.org Subject: Re: security list Date: Fri, 28 Jul 1995 07:58:04 +0200 From: Mark Murray Sender: security-owner@freebsd.org Precedence: bulk > It seems thay your majordomo dislikes me already two times, > please add ache@freebsd.org manually to foreign-secure... Sure. No problem. > BTW, > I found DES library at ftp.lysator.liu.se in pub/libraries, > maybe we can grab it and insert into secure/lib/libdes derectly? That one is kinda old. I have a much newer one which I will import as soon as we have resolved the legal differences :-( M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 From owner-freebsd-security Fri Jul 28 06:00:38 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id GAA08231 for security-outgoing; Fri, 28 Jul 1995 06:00:38 -0700 Received: from sovcom.kiae.su (sovcom.kiae.su [144.206.136.1]) by freefall.cdrom.com (8.6.11/8.6.6) with SMTP id FAA08206 for ; Fri, 28 Jul 1995 05:59:11 -0700 Received: by sovcom.kiae.su id AA01255 (5.65.kiae-1 ); Fri, 28 Jul 1995 15:51:26 +0300 Received: by sovcom.KIAE.su (UUMAIL/2.0); Fri, 28 Jul 95 15:51:26 +0300 Received: (from ache@localhost) by astral.msk.su (8.6.8/8.6.6) id QAA00394; Fri, 28 Jul 1995 16:25:26 +0400 To: Mark Murray Cc: "Jordan K. Hubbard" , "Rodney W. Grimes" , security@freebsd.org References: <199507280558.HAA03320@grumble.grondar.za> In-Reply-To: <199507280558.HAA03320@grumble.grondar.za>; from Mark Murray at Fri, 28 Jul 1995 07:58:04 +0200 Message-Id: Organization: Olahm Ha-Yetzirah Date: Fri, 28 Jul 1995 16:25:25 +0400 (MSD) X-Mailer: Mail/@ [v2.40 FreeBSD] From: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= aka "Andrey A. Chernov, Black Mage" X-Class: Fast Subject: Re: security list Lines: 19 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Length: 786 Sender: security-owner@freebsd.org Precedence: bulk In message <199507280558.HAA03320@grumble.grondar.za> Mark Murray writes: >> BTW, >> I found DES library at ftp.lysator.liu.se in pub/libraries, >> maybe we can grab it and insert into secure/lib/libdes derectly? >That one is kinda old. I have a much newer one which I will import as >soon as we have resolved the legal differences :-( Can we found one lawyer for FreeBSD (for free :-) and consult with him to clarify export/import restrictions? Maybe Call For Lawyer into newsgroups? -- Andrey A. Chernov : And I rest so composedly, /Now, in my bed, ache@astral.msk.su : That any beholder /Might fancy me dead - FidoNet: 2:5020/230.3 : Might start at beholding me, /Thinking me dead. RELCOM Team,FreeBSD Team : E.A.Poe From "For Annie" 1849 From owner-freebsd-security Fri Jul 28 09:48:42 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id JAA18263 for security-outgoing; Fri, 28 Jul 1995 09:48:42 -0700 Received: from grunt.grondar.za (grunt.grondar.za [196.7.18.129]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id JAA18256 ; Fri, 28 Jul 1995 09:48:24 -0700 Received: from grumble.grondar.za (grumble.grondar.za [196.7.18.130]) by grunt.grondar.za (8.6.11/8.6.9) with ESMTP id SAA17959; Fri, 28 Jul 1995 18:48:02 +0200 Received: from localhost (localhost [127.0.0.1]) by grumble.grondar.za (8.6.11/8.6.9) with SMTP id SAA09161; Fri, 28 Jul 1995 18:48:01 +0200 Message-Id: <199507281648.SAA09161@grumble.grondar.za> X-Authentication-Warning: grumble.grondar.za: Host localhost didn't use HELO protocol To: ache@astral.msk.su cc: "Jordan K. Hubbard" , "Rodney W. Grimes" , security@freebsd.org, freebsd-foreign-secure@grondar.za Subject: Re: security list Date: Fri, 28 Jul 1995 18:48:00 +0200 From: Mark Murray Sender: security-owner@freebsd.org Precedence: bulk > >> I found DES library at ftp.lysator.liu.se in pub/libraries, > >> maybe we can grab it and insert into secure/lib/libdes derectly? > > >That one is kinda old. I have a much newer one which I will import as > >soon as we have resolved the legal differences :-( > > Can we found one lawyer for FreeBSD (for free :-) > and consult with him to clarify export/import restrictions? > Maybe Call For Lawyer into newsgroups? I've got a lawyer friend who knows this crap. She's an import/export/patent specialist, and an Advocate too. (British: Advocate=Barrister) (American: Advocate=Big Cheese Lawyer qualified to argue in supreme court) She'll do this Pro Amico... M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 From owner-freebsd-security Fri Jul 28 12:16:19 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id MAA27044 for security-outgoing; Fri, 28 Jul 1995 12:16:19 -0700 Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id MAA27038 for ; Fri, 28 Jul 1995 12:16:16 -0700 Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.11/8.6.9) id MAA02093; Fri, 28 Jul 1995 12:14:45 -0700 From: "Rodney W. Grimes" Message-Id: <199507281914.MAA02093@gndrsh.aac.dev.com> Subject: Re: security list To: mark@grondar.za (Mark Murray) Date: Fri, 28 Jul 1995 12:14:45 -0700 (PDT) Cc: security@freebsd.org, freebsd-foreign-secure@grondar.za In-Reply-To: <199507281648.SAA09161@grumble.grondar.za> from "Mark Murray" at Jul 28, 95 06:48:00 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1356 Sender: security-owner@freebsd.org Precedence: bulk > > > >> I found DES library at ftp.lysator.liu.se in pub/libraries, > > >> maybe we can grab it and insert into secure/lib/libdes derectly? > > > > >That one is kinda old. I have a much newer one which I will import as > > >soon as we have resolved the legal differences :-( > > > > Can we found one lawyer for FreeBSD (for free :-) > > and consult with him to clarify export/import restrictions? > > Maybe Call For Lawyer into newsgroups? > > I've got a lawyer friend who knows this crap. She's an import/export/patent > specialist, and an Advocate too. (British: Advocate=Barrister) (American: > Advocate=Big Cheese Lawyer qualified to argue in supreme court) > > She'll do this Pro Amico... YEA!!!!! Thank you Mark!!! And thank you ``friend'' for us all please! If I can be of assitance to her in contacting US agencies to get paper work and or documents she may need, please feel free to ask, an email message to me and a local (to the USA anyway) call to an agency could be cost savings and an expident way to get some of this information and/or paper work. On paper work I would even be willing to fax it back down to .za. And/or send it by Federal Express Letter depending on size. -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD From owner-freebsd-security Fri Jul 28 13:51:33 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id NAA03226 for security-outgoing; Fri, 28 Jul 1995 13:51:33 -0700 Received: from time.cdrom.com (time.cdrom.com [192.216.222.226]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id NAA03220 ; Fri, 28 Jul 1995 13:51:30 -0700 Received: from localhost (localhost [127.0.0.1]) by time.cdrom.com (8.6.11/8.6.9) with SMTP id NAA08871; Fri, 28 Jul 1995 13:49:35 -0700 To: Mark Murray cc: ache@astral.msk.su, "Jordan K. Hubbard" , "Rodney W. Grimes" , security@freebsd.org, freebsd-foreign-secure@grondar.za Subject: Re: security list In-reply-to: Your message of "Fri, 28 Jul 1995 18:48:00 +0200." <199507281648.SAA09161@grumble.grondar.za> Date: Fri, 28 Jul 1995 13:49:34 -0700 Message-ID: <8869.806964574@time.cdrom.com> From: "Jordan K. Hubbard" Sender: security-owner@freebsd.org Precedence: bulk > I've got a lawyer friend who knows this crap. She's an import/export/patent > specialist, and an Advocate too. (British: Advocate=Barrister) (American: > Advocate=Big Cheese Lawyer qualified to argue in supreme court) > > She'll do this Pro Amico... That's very kind of her. So, maybe we should make sure we've got all of our questions in order before we take her up on this generous offer? Just what issues are we trying to clarify here, exactly? Jordan From owner-freebsd-security Fri Jul 28 14:48:19 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id OAA09061 for security-outgoing; Fri, 28 Jul 1995 14:48:19 -0700 Received: from grunt.grondar.za (grunt.grondar.za [196.7.18.129]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id OAA09034 ; Fri, 28 Jul 1995 14:47:49 -0700 Received: from grumble.grondar.za (grumble.grondar.za [196.7.18.130]) by grunt.grondar.za (8.6.11/8.6.9) with ESMTP id XAA18210; Fri, 28 Jul 1995 23:47:35 +0200 Received: from localhost (localhost [127.0.0.1]) by grumble.grondar.za (8.6.11/8.6.9) with SMTP id XAA10036; Fri, 28 Jul 1995 23:47:34 +0200 Message-Id: <199507282147.XAA10036@grumble.grondar.za> X-Authentication-Warning: grumble.grondar.za: Host localhost didn't use HELO protocol To: "Jordan K. Hubbard" cc: Mark Murray , ache@astral.msk.su, "Jordan K. Hubbard" , "Rodney W. Grimes" , security@freebsd.org, freebsd-foreign-secure@grondar.za Subject: Re: security list Date: Fri, 28 Jul 1995 23:47:33 +0200 From: Mark Murray Sender: security-owner@freebsd.org Precedence: bulk > > I've got a lawyer friend who knows this crap. She's an import/export/patent > > specialist, and an Advocate too. (British: Advocate=Barrister) (American: > > Advocate=Big Cheese Lawyer qualified to argue in supreme court) > > > > She'll do this Pro Amico... > > That's very kind of her. So, maybe we should make sure we've got all > of our questions in order before we take her up on this generous offer? > Just what issues are we trying to clarify here, exactly? (Sorry Jordan - you missed a long discussion concerning the legality of _importing_ crypto code into the USA. Rod feels that this is dangerous and a couple of others feel that these fears are unfounded. I thought that I would find out for sure. I am sick of the argument :-) :-) ) [Would you like copies of the discussion?] Before we get all excited... She is doing this as a favour for me, and her name will be on whatever she gives me. BUT - what she will give me is LEGAL OPINION. It is not law, and she is not American. The question I have asked her to clarify is "Is it or is it not legal to import cryptography code INTO the USA?" We have so far established beyond a shadow of a doubt that permanent imports (as opposed to temporary imports or any kind of export) are not under the jurisdiction of the State Department, like the controlled items referred to in ITAR. It is also known without the aforementioned shadow that exports and temporary imports (that is imports for repair or improvement etc. that will be returned to their country of origin) that are munitions according to ITAR _are_ restricted. But we all knew this :-( :-( :-(. For permananent imports ONLY (IE one-way FTP into the USA) the body with jurisdiction is the Department of the Treasury, and their rules apply. This is clearly stated in ITAR. What we are going to find out is whether or not _they_ define crypto as a munition (or whatever), and if so what the restrictions are. M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 From owner-freebsd-security Sat Jul 29 22:39:56 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id WAA18478 for security-outgoing; Sat, 29 Jul 1995 22:39:56 -0700 Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id WAA18471 for ; Sat, 29 Jul 1995 22:39:55 -0700 Received: (from pst@localhost) by precipice.shockwave.com (8.6.11/8.6.9) id WAA01312 for security@freebsd.org; Sat, 29 Jul 1995 22:39:18 -0700 Date: Sat, 29 Jul 1995 22:39:18 -0700 From: Paul Traina Message-Id: <199507300539.WAA01312@precipice.shockwave.com> To: security@freebsd.org Subject: kerberosIV distribution needs resurection... Sender: security-owner@freebsd.org Precedence: bulk We need to bring this back, or at least libdes from it. The eBones DES libraries we have are -not- fully compatible, specificly telnet is broken with the non-US DES code because the following functions are missing: des_init_random_number_generator des_new_random_key des_set_random_generator_seed des_string_to_key des_pcbc_encrypt Our choices are to fix eBones (I'll be glad to the next time I step out of the USA...which can be arranged) or at least bring back libdes. Does -anyone- have a better (more compatible) DES support package for Kerberos? Paul From owner-freebsd-security Sat Jul 29 22:43:44 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id WAA18970 for security-outgoing; Sat, 29 Jul 1995 22:43:44 -0700 Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id WAA18958 for ; Sat, 29 Jul 1995 22:43:43 -0700 Received: (from pst@localhost) by precipice.shockwave.com (8.6.11/8.6.9) id WAA01343 for security@freebsd.org; Sat, 29 Jul 1995 22:43:10 -0700 Date: Sat, 29 Jul 1995 22:43:10 -0700 From: Paul Traina Message-Id: <199507300543.WAA01343@precipice.shockwave.com> To: security@freebsd.org Subject: correction on last message... Sender: security-owner@freebsd.org Precedence: bulk actually, the string to key and pcbc_encrypt routines are there, just the first three are missing.